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C ' I CAT I ON APPARATUS FOR ROUTING OR DISCARDING A PACKET 

SENT FROM A USER TERMINAL 

BACKGROUND OF THE INVENTION 

The present invention relates to packet 
communications apparatus and a network system, and more 
p. rticularly, to packet communications apparatus and a 
r :work system arranged for preventing the unfair use of 
networking service, wherein a LAN switch, router, etc is 
used as that apparatus. 

Recently, it has been appreciated that information 
Si purity techniques for restricting network use are 
Zi <iuired in order to ensure the confidentiality of 
ii formation transferred over networks. On the other hand, 
w: ;h convenient use of networks taken into consideration, 
n< :working is implemented such that, only by connecting a 
terminal to a network, the terminal user can use networking 
service in some Local Area Networks (LANs) , typically, for 
example, a 802.3 network of Carrier Sense Multiple Access 
>: ch Collision Detection (CSMA/CD) type, the specifications 
t] **reof being prescribed by the Institute of Electrical and 
E; ectronics Engineers, Inc. (IEEE) . 

For a network using a Dynamic Host Configuration 
P: otocol (DHCP) standardized by the Internet Engineering 
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Task Force (IETF) , when a terminal is newly connected to the 
network, its address is automatically assigned to it. By 
c .iibining these networks or LANs with mobile terminals such 
a; notebook- size personal computers, a (public) network 
prrts system has appeared, allowing a terminal user to use 
nr :working service from anywhere, whenever necessary. 
Technique regarding the network ports system has been 
disclosed in, for example, jp-a- 69765/1999 . 

SUMMARY OF THE INVENTION 

As networks become easy to use, however, it is 
c»; : ceivable that even a user who is not authorised to use 
no .working service (unauthorized user) can use networking 
service only if the user's terminal is connected to a 
network. Consequently, a security problem arises that 
resources such as file servers connected to the network 
system are unfairly accessed from unauthorized users. 

As technique used for preventing such unfair access 
by unauthorized users, "packet filtering 1 ' carried out by 
pa< set communications apparatus such as routers is known, 
Tc enable packet filtering, the conditions for packet 
filtering must be preset. However, it is almost impossible 
to predetermine the conditions for packet filtering for the 
abr^ve -mentioned network ports system or the like, that is. 



networks wherein a terminal at any place is assigned a 
dynamically leased address for networking. 

Addressing the above - described problem, an object 
of the prevent invention is to provide packet communications 
apparatus and a network system that prevent unauthorized 
users from using networking service unfairly. 

Another object of the present invention is to 
provide packet communications apparatus and a network 
system wherein, even if a user connects the user terminal 
zc a network from anywhere and using a different address each 
ti ne the terminal is reconnected to the network, the user 
can gain access to a network resource entity only if 
authorized to access the entity. 

in accordance with the present invention, a packet 
c : limunications apparatus is provided that is used in a 
n rework system wherein user terminals that can be linked via 
a network to the apparatus send/receive packets to/from a 
si mr for authentication and a file server connected via 
a network to the apparatus, comprising a plurality of 
network interfaces, a learned address table containing 
information for identifying a network interface through 
w?: ich to send a packet, a packet forwarding unit that selects 
a jort through which to forward a packet by referring to the 
l*-*rned address table, according to the state of the network 
ir cerfaces, and forwards or discards a packet sent from the 
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user terminal, addressed to the server for 

authentication/file server and vice versa, a processor for 
directive packets to change state that receives a directive 
picket to change state, holding a directive to change the 
state of a specific network interface to one of the connected 
state, disconnected state and stateless, via the packet 
forwarding unit from the server for authentication, and 
si Kte managers, each installed in each network interface and 
each that receives a directive packet to change state from 
the processor for directive packets to change state and 
cVanges the state of the network interface to one of the 
c:: 4 nected state, disconnected state and stateless, 
a: wording to the directive packet to change state. 

Moreover, in accordance with the present invention, 
a racket communications apparatus is provided that is used 
i : * network system wherein user terminals that can be linked 
via a network to the apparatus send/receive packets to/from 
a server for authentication and a file server connected via 
a aetwork to the apparatus, comprising physical interfaces, 
ei : h making the connection to a network, a packet forwarding 
u:vit that selects a port through which to forward a packet, 
fi Itering units that perform packet filtering, each located 
between each physical interface and the packet forwarding 
u;it and comprising a filtering table containing 
information for forwarding or discarding a packet and a 
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p. cket processor that discards a packet: or transfers a 
packet to the packet forwarding unit, according to the 
contents of the filtering table, and a processor for 
directives to change filtering that transfers a directive 
t< change filtering from the server for authentication to 
the appropriate filtering unit, changes the information in 
the filtering table initially set to discard all received 
packets, according to the directive from the server for 
ai thentication, and sequentially adds information for 
f : awarding such packets to the file server that include the 
adxiress of a user terminal that has now been user- 
a. thenticated by the server for authentication as the source 
a::lress to the filtering table. 

Moreover, in accordance with the present invention, 
a packet communications apparatus is provided that is used 
in a network system wherein user terminals that can be linked 
v;Li a network to the apparatus send/receive packets to/from 
a erver for authentication and a file server connected via 
a network to the apparatus, comprising network interfaces 
foe sending/receiving packets to/from the user terminals, 
th* server for authentication and the file server, an IP 
address registration table in which the addresses of the 
user terminals user -authenticated by the server for 
authentication are registered, and a packet forwarding unit 
that forwards a packet whose source address matches an 
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an.dress registered in the IP address registration table and 
encapsulates a packet whose source address is not registered 
in the IP address registration table and then sends the 
encapsulated packet to a specific address. 

A feature of the present invention is that the 
packet communications apparatus essentially comprises a 
plurality of network interfaces, the packet forwarding 
m it, and the state managers, each keeping the state of each 
network interface in one of the connected state, 
disconnected state and stateless. The packet forwarding 
unit selects a port through which to forward a packet, 
depending on the state of the network interfaces . 

Another feature of the present invention is that the 
p= ::ket communications apparatus includes the processor for 
di rective packets to change state and can change the state 
of a network interface that is specified in a directive 
picket to change state to a state specified in the directive 
p 5 rket . 

A further feature of the present invention ia that 
each network interface includes a link down detector and the 
packet communications apparatus can change the state of the 
ns- work interface to disconnected state when the link down 
dt; :ect detects link-down. 

The present invention is preferably implemented 
stjch that all network interfaces are initialized to 
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disconnected state when the packet communications apparatus 
j'i initialized. 

Yet another feature of the present invention is that 
t] ^ packet communications apparatus can forward packets 
n ceived at a network interface set in the disconnected 
S* ace to only a specific network interface. 

The present invention is preferably implemented 
such that the packet communications apparatus does not 
forward packets received at a network interface set in the 
d; sconnected state to a network interface set in the 
disconnected or connected state. 

The present invention is preferably implemented 
si <:h that the packet communications apparatus changes the 
st ute of a network interface to which a terminal operated 
b, an authenticated user is linked to the connected state. 

A still further feature of the present invention is 
that the packet communications apparatus essentially 
emprises a plurality of network interfaces, the packet 
forwarding unit, the filtering table, the packet filtering 
u 3 i ts that perform packet filtering, according to the 
contents of the filtering table, and the processor for 
directives to change filtering that updates the contents of 
th & filtering table by a directive from the external, and 
to the filtering tables whose contents are initially set to 
discard all received packets, information for permitting 



tl.e packet communications apparatus to forward packets 
including a specific source address can be added 
sequentially, according to a directive from the external. 

The present invention is preferably implemented 
such that information for permitting the packet 
communications apparatus to forward packets whose 
destination address is the address of a terminal operated 
by an authenticated user is sequentially added to the 
filtering table. 

A yet another feature of the present invention is 
that the packet communications apparatus essentially 
c: uprises a plurality of network interfaces, the packet 
forwarding unit, the filtering table, the learned address 
table, and the processor for directive packets to change 
s; ate« and when it receives a directive packet change state 
t:*t directs it to register the source address of the 
r;;eived packet into the filtering table and register a 
specific address registered in the filtering table into the 
Li,,med address table, the processor for directive packets 
to change state registers the specific address registered 
in the filtering table into the learned address table. 

The present invention is preferably implemented 
such that the packet communications apparatus 
unconditionally forwards a packet whose destination address 
i ; registered in the learned address table and forwards a 



pc cket whose destination address is registered in the 
filtering table, but not registered in the learned address 
table, provided the packet includes a specific source 
a: dress - 

The present invention is preferably implemented 
srnh that the packet communications apparatus can be 
directed to register the address of a terminal operated by 
ar authenticated user into the learned address table. 

The present invention is preferably implemented 
such that the packet communications apparatus essentially 
comprises a plurality of network interfaces, the packet 
f : rwarding unit, and the address registration table, 
f s rwards a packet whose source address is registered in the 
a: :lress registration table, and encapsulates a packet whose 
s<: arcs address is not registered in the address registration 
t; tile and then sends the encapsulated packet to a specific 
a : Mess . 

The present invention is preferably implemented 
sijch that, when encapsulating and sending a packet whose 
s;urce address is not registered in the address registration 
tiole, as the destination address of the encapsulated 
packet, the address of the equipment that performs us£r 
ai; :hentication is specified in the packet. 

The present invention is preferable implemented 
s ; "-h that the packet communications apparatus registers the 
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address of a terminal operated by an authenticated user into 
tie address registration table. 

The present invention is preferably implemented 
svch that each network interface of the packet 
c: mmunications interface has a function of monitoring its' 
state, thereby seeing whether it is in the disconnected 
state, and disconnects communication if it enters the 
disconnected state. 

The present invention is preferably implemented 
scch that, when a terminal is disconnected from the network, 
tha network interface that detected the disconnection 
ai somatically changes to "disconnected" state. 

The present invention is preferably implemented 
s . :h that the packet communications apparatus memorizes the 
addresses respectively assigned to terminal users and sets 
packet filtering On/Off, according to the memorized 
addresses . 

Other and further objects, features and advantages of 
t:: ; invention will appear more fully from the following 
de *cription . 

BRIEF DESCRIPTION OF THE DRAWINGS 

A preferred form of the present invention illustrated 
in the accompanying drawings in which; 
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FIG. 1 is a structural diagram of a packet 
immuni cations apparatus in accordance with a preferred 
embodiment of the present invention; 

FIG. 2 is a structural diagram of one of network 
interfaces 102 to 107; 

PIG. 3 illustrates a learned address table 1Q8 and 

entries ; 

fig . 4 is a topological schematic diagram of a 
network system in which a LAN switch 100 is used; 

FIG. 5 is a diagram of communication sequence after 
t!.3 connection of a user terminal 403 to a network port 409; 

FIG - 6 is a flowchart illus t rating how the LAN 
switch 100 forwards a packet; 

FIG. 7 illustrates the leaned address table 10S and 
ut dated entries ; 

fig. fl is a flowchart of the step 604 mentioned in 

F 7 £ t . 6; 

FIG. 9 illustrates a forwarding table 901 and 

e.?. tries ; 

FIG. 10 is a structural diagram of a packet 
communications apparatus configured in accordance with 
aether preferred embodiment of the invention; 

FIG * 11 is a structural diagram of one of filtering 
uiits 1012 to 1017; 



-12- 



FIG- 12 illustrates a filtering table 1101 and 

entries ; 

FIG. 13 is a topological schematic diagram of a 
i5* nwork system in which a router 1000 is used; 

FIG. 14 is a diagram of communication sequence after 
the connection of a user terminal 1333 to a network port 409; 

FIG. IS illustrates the filtering table 1101 and 
undated entries? 

FIG. 16 is a structural diagram of a packet 
communications apparatus configured in accordance with a 
farther preferred embodiment; 

FIG, 17 illustrates a filtering table 1606 and 

e? ;ries ; 

FIG . 16 illustrates a learned address table 1606 and 

ej tries ; 

FIG. 19 is a topological schematic diagram of a 
network system in which a LAN switch 1600 is used; 

FIG, 20 is a diagram of communication sequence after 
the connection of a user terminal 1905 to a network port 409 
ct network B; 

FIG, 21 is a flowchart illustrating how the LAN 
svxtch 16 00 forwards a packet; 

FIG , 22 illustrates the learned address table 1606 
ard updated entries; 
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FIG. 23 is a topological schematic diagram of a 
xu-cwork system in which a router 2300 is used; 

FIG. 24 a diagram of communication sequence after 
the connection of a user terminal 2312 to a network port 
connected to network B 2313; 

FIG. 25 is a flowchart illustrating how the router 
23 00 forwards a packet; 

FIG. 26 is a flowchart illustrating how a server for 
authentication 2310 handles a packet it received; 

FIG. 27 illustrates an IP address registration 
t;.bie 2306 and entries in the initial state; 

FIG. 28 is a topological schematic diagram of a 
m uwork system wherein a plurality of networks are 
interconnected via a plurality of packet communications 
apparatuses A to c 2801 and a route 2820; 

FIG* 29 illustrates a subnet table 2814 and entries; 

FIG- 30 illustrates an address for authentication 
t= hie 2613 and entries; 

FIG- 31 is an out-of - authentication address table 

2 \ 1-2 and entry; 

FIG- 32 is a flowchart illustrating how each packet 
communications apparatus forwards a packet ; 

FIG. 33 a diagram of communication sequence after 
tr.e connection of a user terminal 2806 to a network in a 
network ports system 2830; 
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FIG . 34 is a flowchart illustrating an ARP packet 
1 arning process to be executed by each packet 
communications apparatus 2 801; 

FIG. 35 illustrates a learned address table 2811 and 

entries ; 

FIG. 36 illustrates the learned address table 2811 
c! *I updated entries; 

FIG . 37 illustrates the learned address table and 
vj dated entries; and 

FIG. 38 is a flowchart illustrating a process of 
updating the learned address table 2611 to be executed by 
each packet communications apparatus 2801, 

DESCRIPTION OF THE PREFERRED EMBODIMENTS 

With reference to the appended drawings, preferred 
bodiments of the present invention will be described 

FIG. 1 is a structural diagram of a packet 
communications apparatus configured in accordance with a 
preferred embodiment (first illustrative embodiment) of the 
pi esent invention. 

A LAN switch 100 as the packet communications 
apparatus, for example, comprises a packet forwarding unit 
1(1, a plurality of network interfaces (hereinafter 



abbreviated to NIFs) 102 to 107, a learned address table 108, 
ard a processor for directive packets to change state 
Hereinafter abbreviated to PDPCS) 109. The NIFs 102 to 107 
ari> assigned respective names (A to F as shown) for their 
ur i,que identification- Instead of the names, numbers or the 
like may be used if the NIFs can uniquely be identified by 
tt am. 

These NIFs 102 to 107 are respectively connected to 
different networks and perform packet sending/receiving. 
Xx the first illustrative embodiment, it is assumed that 
8C2-3 networks of CSMA/CD type, the specifications thereof 
be- Lng prescribed by the IEEE, are connected to the switch 
wH.h twisted pair cables. However, the present invention 
is applicable to other types of networks (for example, 
wf reless networks) . 

The packet forwarding unit 101 connects with all 
NIFs 102 to 107 and performs packet forwarding on a data link 
liyer in an Open System Interconnection (OSI) reference 
jtk del » The learned address table 108 contains information 
r* quired for the packet forwarding unit 101 to determine an 
r through which to send a packet. 

FIG- 3 illustrates a learned address table 109 and 
er tries (1) . 

The learned address table 108 contains entries in 
an address field 301 and a sending port field 302. The 



address field 301 contains a physical address (hereinafter 
represented as a MAC address) and the sending port field 302 
contains the name of an NIF. The meaning of each line of 
ex cry in the learned address table 106 is that, if the 
destination address of a packet matches the address in the 
address field 301 , the packet is sent through the NIF in the 
sending port field 302 on the same entry line. Additionally, 
a plurality of NIPs may be registered into the sending port 
fr.rald 302. as an example, for a special case, if the mac 
a; dress of the LAN switch 100 itself has been registered into 
ti..<* address field 301 and "X" into the sending port field 
3( ;:, the meaning of this entry line is that the packet is 
handled as the packet addressed to the LAN switch 100. 

The PDPCS 109 receives via the packet forwarding 
ut it 101 a directive packet to change state sent across any 
n-i i.work connected to the LAN switch 100 from an external 
e; i.ity (e.g. , a server for authentication 401 which will be 
described later) to the LAN switch 100. The pdpcs 109 
nc uif ies the appropriate one of the NIFs 102 to 107 of the 
contents of the received directive packet to change state. 
The directive packet to change state holds a directive to 
change the state of a specific NIF to a specific state as 
ir formation. As the protocol for packet communications 
discussed herein, for example, a Simple Network Management 
Protocol (SNMP) is used. However, other protocols such as 



a telecommunications network protocol (telnet) and a Hyper 
Text Transfer Protocol (HTTP) may be used. While the LAN 
switch 100 is used as the packet communications apparatus 
in the first illustrative embodiment, the present invention 
±t: applicable to a router and other types of packet 
communications apparatus - 

FIG- 2 is a structural diagram of one of the NIFs 

It 2 to 107. 

AnNIF, any one of 102 to 107, for example, comprises 
a physical interface 201 to which a network link is 
terminated, a link down detector 202 that finds whether the 
network is now workable, and a state manager 2 03 that 
c< ntrols the state of the NIF, wherein the physical 
it zerface 201 and the state manager 203 are connected to the 
p? <:ket forwarding unit 101. 

The link down detector 202 electrically finds 
wl ether the circuit (cable) of the network is connected to 
the LAN switch or whether a terminal connected to the LAN 
switch over the line is set in the communication enabled 
st ate (powered-on state) . The link down detector 202 
notifies the state manager 203 of detected link-down. In 
u first illustrative embodiment, the link down detector 
2C2 detects link-down in this way: after the physical 
interface 201 alerts it to watch the link-down state, if that 
state continues for 100 ms or longer, it judges that the link 
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ia down. if an optical fiber is used as the circuit, 
2 ,nk-down detection is performed, depending on whether 
c: ileal signals come. If a wireless channel is used instead, 
that detection is performed, depending on whether radio 
v^ves come. 

The state manager 203 controls the state of the NIF 
that may be "connected" state, "disconnected" state, or 
"stateless. " The user (the administrator of the switch) can 
preset the nif , any one of 102 to 107, in the "connected" 
£ ate or "stateless" invariably by instructing the state 
iL.--:iager 203 to do so. The NIF, any one of 102 to 107, is 
f ced in either state if set by the user; otherwise, it is 
initially put in the "disconnected" state. When the link 
c *n detector 202 notifies the state manager 203 of 
link-down, the state manager changes the NIF state to the 
"disconnected" state unless a specific state is preset by 
t>e user- Moreover, when the PDPCS 109 gives the state 
m; :iager some instruction, the state manager changes the NIF 
e *nte to one of the above three states, according to the 
i; struction. 

Then, using a network system as will be shown in FIG. 
4 i s an example, the operation of the network system in which 
the packet communications apparatus of the present 
invention is used will be described below. 
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FIG, 4 is a topological schematic diagram of the 
network system in which the LAN switch 100 of the first 
illustrative embodiment is used. 

The present network system, for example, comprises 
the LAN switch 100 (with its MAC address being 
2 i ; 2 2 : 0 0 : FF : FF : FF ) ; a server for authentication 401 (with 
itK MAC address being 22:22:00:11:11:11) connected to the 
N1F-A 102 of the LAN switch 100; a file server 402 (with its 
M&C address being 22:22:00:22:22:22) connected to the NIF-B 
1< ■» of the LAN switch 100? so-called network ports 409 
ri apectively linked to the NIFs C to F, 104 to 107, allowing 
end users to use networking service by freely connecting 
their terminal thereto; and a representative user terminal 
4(3 (with its MAC address being 2 2:22: FF :00:00:0l) 
connected via a network port 409 to the NIF-C 104. 

The server for authentication 401 judges whether a 
terminal user that is attempting connection is authorized 
t: use networking service and notifies the LAN switch 100 
ol the result thereof. In the first illustrative 
embodiment, a terminal user is authenticated by user ID and 
password. The initial settings of the NIFs A to F (102 to 
i;7) of the LAN switch 100 are assumed as follows: nif-b 103 
i? set in the invariably "connected" state, NIF-A 102 is set 
i; the "stateless" and the remaining- NIFs C to F (104 to 107) 
ax* not set in any state. Thus, the NIFs C to f {104 to 107) 



remains in the "disconnected" snate when being initialized 
(at this time, the contents of the learned address table 106 
ir the LAN switch 10 0 are as shown in fig. 3) . 

Then, in the present network system, assume that the 
uiar terminal 403 (with its MAC address being 
2 / 22 :FF: 00 : 00 : 01) has now been connected to the network 
pert 409 that is connected to the NIF-C. This case will be 

discussed below . 

FIG. 5 is a diagram of communication sequence after 
the user makes the connection of the user terminal 403 to 
tts network port 409. 

If the user terminal 403 is not yet user- 
ai Lhenticated, but access to the file server 402 is 
aM. erupted therefrom, a packet 501 addressed to the file 
server is sent from the user terminal 403 with its 
dt 'itination address being the MAC address 
(22 :22:00:22:22:22) of the file server and its source 
address being the MAC address ( 22 ; 22 ; FF : 00 : 00 : 01) of the 
ursr terminal 4 03. When the LAN switch 100 receives the 
p* ::ket 501, a process of forwarding the packet begins, which 
wi i.l be explained below. 

PIG- 6 is a flowchart illustrating how the LAN 
sn.tch 100 forwards a packet it received. 

The packet forwarding unit 101 of the LAN switch 
100, which received the packet 501, refers to the learned 
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ac^dress table 108. If the source address (the MAC address 
2; , 22 : FF ; 00 : 00 : 01 of the user terminal 403) is not 
registered in the learned address table 108, the packet 
forwarding unit 101 registers it into the address field 301 
cr an additional entry line in the learned address table 108. 
At the same time, the packet forwarding unit 101 registers 
c ( the name of the NIF that received the packet 501 into the 
sending port filed 302. 

FIG- 7 illustrates the learned address table 108 and 
€j ;ries (2) . 

In the learned address table 108, the MAC address 
c the user terminal 403 as the source address has now been 
n (jistered in the address field on the entry #4 line and 
NIF-C in the sending port field as well. 

Since the destination address, the MAC address 
U 2 : 22 : 00 : 22 : 22 : 2 2 ) of the file server 402 has been 
xi mistered in the learned address table 108 (step 602) , 
tl en, the packet forwarding unit 101 obtains NIF - B 
if formation as the port through which to send the packet 501, 
from the content of the sending port field 3 02 on the entry 
1. Jie on which the destination address of the file server 402 
has been registered in the learned address table 108 (step 
503) . Then, the packet forwarding unit 101 carries out the 
ft rwarding process (step 604) . 

The step 604 will now be explained. 
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VXG. & is a flowchart of the step 604. 

First, the packet forwarding unit 101 judges 
whether the sending port (NIF-B 103 in this case) and the 
receiving port (NIF-C 104 in this case) are the same (step 
8^1) < Since the sending port and the receiving port are 
different in the case in question, the packet forwarding 
ui ,it 101 forwards the packet, according to a forwarding 
ti-ble 901 which will be described below {step 802) . 

FIG. 9 illustrates the forwarding table 901 and 

ei 'Cries . 

The forwarding table 9 01 is used for the packet 
forwarding unit to determine whether to forward or discard 
a packet, depending on the receiving port state and the 
si uding port state. According to the table entries in the 
c* i*e in question, the receiving port (NiF-c 104) of the LAN 
st ;*tch 100 at which the packet 501 sent from the user 
ti ;rminal 403 was received remains in the "disconnected" 
si ate, while the sending port (NIF-B 103) is set in the 
"connected" state. Thus, the forwarding table 901 indicates 
"discard. 1 ' In consequence/ the packet 501 is discarded by 
tl e packet forwarding unit 101- By this action, the access 
f 7 om the unauthenticated user terminal 403 to the file 
st :;ver 4 02 has now been avoided, 
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Then, a case where the user terminal 403 sends the 
server for authentication 401 a packet 502 addressed to the 
server for authentication will be discussed. 

The user terminal 403 sends the packet 502 with its 
destination address being the MAC address 

(22:22:00:11:11:11) of the server for authentication 401 
a: :1 its source address being the MAC address 

(22 : 22 : FF ; 00 ; 00 : 01) of the user terminal 403, When the LAN 
switch 100 receives that packet 502, its packet forwarding 
u:;t 101 begins the process of forwarding the packet, 
a: wording to the above flowchart shown in FIG. 6, 

The packet forwarding unit 101 skips the first step 
6; : because the MAC address (22:22: FF:00:00:01) of the user 
t ■ rminal 403 has already been registered into the learned 
a: ^ress table 108 on the last time reception of the preceding 
packet 501. Since the destination address, the MAC address 
(22:22:00:11:11:11) of the server for authentication 401 
hii been registered in the learned address table 108 (step 
€ r <\), then, the packet forwarding unit 101 obtains NIF-A 
i : I ormation as the port through which to send the packet 502 , 
f ;m the content of the sending port field 302 on the entry 
1 i *. e on which the destination address of the server for 
a:chenticacion 401 has been registered in the learned 
address table 108 (step 603) , Then, the packet forwarding 
unit 101 carries out the forwarding process (step 604). 
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The step 604 will now be explained again, referring 
tc FIGS. 8 and 9. 

In the first step in FIG. 8, since the sending port 
(N~F-A 102 in this case) and the receiving pore (NIF-C 104 
in this case) are different (step 801) , the process goes to 
the step 802, In the forwarding table 901 shown in FIG . 9, 
since the state of the NIF-C 102 that is the receiving port 
ir "disconnected" and the state of the NIF-A that is the 
sending port is "stateless." the forwarding table 901 
indicates "forward- " In consequence, the packet forwarding 
ui it 101 forwards the packet 502 to the server for 
ai :hentication 401 through the NIF-A 102. 

Moreover a reply packet 503 is similarly forwarded 
from the server for authentication 401 to the user terminal 
4i 3. in this case, the NIF-A 102 is the port to receive the 
p< oket 503 and the NIF-C 104 is the port to send it. The 
f< -warding table 901 indicates "forward" as the state of the 
N: f-c is "disconnected" and the state of the NIF-A is 
"i tateless." consequently, the packet forwarding unit 101 
f i rwards the packet 503 to the user terminal 403 through the 
NIF-C 104. Thereby, a bidirectional communication path 
between the server for authentication 401 and the user 
terminal 403 has now been established and a user 
ai -hentication procedure begins. 
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On the server for authentication 401, if, for 
example, user ID and password 504 included in the packet 502 
sent from the user terminal 403 matches those that it holds 
a? those of the user authorized to use networking service, 
tte server sends notice of connection permission to the LAN 
switch 100. For the notice of connection permission, a 
d; rective packet to change state 505 with its destination 
address being the MAC address (22 : 22 : 00 : FF : FF : FF) of the LAN 
svitch 100 is used. The packet 505 includes the directive 
to "change to connected state" and the MAC address 
(22 : 22 ; FF ; 00 : 00 ; 01) of the user terminal 403 as 
ii formation. 

When the LAN switch 100 receives the directive 
p< j^ket to change state 505, its packet forwarding unit 101 
r; ::ers to the learned address table 108- Return to FIG. 
Is the learned table 108, 4l x" is designated in the sending 
pi ::t field 302 on the entry line on which the MAC address 
of the LAN switch 100 itself has been registered as the 
destination address of the directive packet to change state 
5tf> (step 602). Thus, the packet forwarding unit 101 
if :ernally forwards the packet 505 to the PDPCS 109 (step 
6* S) . The PDPCS 109 obtains the MAC address 
(12 : 22 ; FF: 00 : 00 : 01) of the user terminal 403 from the 
ii formation included in the packet 505 and searches through 
tbo address fields 3 01 of the learned address table 108 for 
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that MAC address. For the NIP (C in this case) designated 
it\ the sending port field 302 on the entry line on which the 
st arched out MAC address of the user terminal 403 has been 
registered, the PDPCS 109 directs that its state be changed 
ti> "connected state-" 

In the NIF-C 104, the state manager 203 changes the 
NIF state from "disconnected" to "connected" state, After 
that, the NIF-C 104, that is, the port to receive a packet 
5« 5 addressed to the file server sent from the user terminal 
f 3 is set in the "connected" state. In this case, because 
t! s NIF-B 103. that is, the port to send the packet is also 
h id in the "connected" state, the forwarding table 901 
i licates "forward." Thus, the user terminal 403 becomes 
t ssible to access the file server 402. 

Then, assume that the user terminal 403 has now been 
disconnected from the network port 4 00- In this case, the 
1 >N switch 100 operates as will be explained below. 

When the user disconnects the user terminal 4 03 from 
t, network port 409 by pulling out the cable (twisted pair) 
therefrom, the physical interface 201 of the NIF-C 104 
eaters the link down state. On the elapse of 100 ms with 
t ie NIF staying in that state, the link down detector 202 
notifies the state manager 203 of link-down. The state 
manager 203, when being notified of link-down, changes the 
s:ate of the NIF-C 104 to "disconnected" state. Thus, even 



if a new user terminal is connected to the same network port 
4(9, access from the user terminal to the file server 402 
w; 11 be disabled until it is user-authenticated . 

As described above, by using the LAN switch 100 
configured in accordance with the first illustrative 
ei hodiment, a network system can be built that refuses 
ac cess from an unauthenticated user terminal 403 to the file 
s« rver 402; only after the terminal user is authenticated, 
t] e terminal becomes possible to access the server. After 
d. .sconnection of the user terminal 403 from the network 
pt ;rt, the access to the file server 4 02 through the network 
port is refused before another user terminal connected to 
the port is user- authenticated. While the case where the 
u, sr terminal 403 has been connected to the network port 409 
ct .inected to the NIF-C 104 was discussed above In the first 
i. lustrative embodiment, the NIFs C toF, 104 to 107, operate 
t; <5 same and produce the same effect no matter what network 
p< rt 409 is used as the port to which the user terminal 403 
i connected. 

Furthermore, in the first preferred embodiment, the 
state of each NIF is reinitialized to "disconnected" state 
o. . the detection of link-down. Alternatively, a terminal 
v er may notify the server for authentication 401 of 
a sconnection by communicating therewith before the user 
d ^connects the link. Upon receiving that notification, the 
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server for authentication 401 sends a packet including 
directive information to "change to disconnected state" and 
tt e MAC address of the user terminal 403 to the MAC address 
U2:22;00rFF;FF:FF) of the LAN Switch 100, The PDPCS 109 
receives this packet and the state of the NIF that forms the 
l*nk changes to "disconnected" state as directed by the 
pj JCS . According to this manner, the user can perform On/Off 
c.\*itrol of using networking service without disconnecting 
the user terminal 403 from the network port 409. 

FIG. 10 is a structural diagram of a packet 
communications apparatus configured in accordance with 
c; other preferred embodiment (second illustrative 
€.! jodiment) of the present invention. 

A router 1000 as the packet communications 
e; paratus, fox; example, comprises a plurality of physical 
ir.cerfaces {hereinafter abbreviated to PHYS . IFs) 1002 to 
1007, a packet forwarding unit 1001, a plurality of 
filtering units 1012 to 1017, and a processor for directives 
t » change filtering (hereinafter abbreviated to PDCF) 1009. 
7.\.e PHYS, IFs 1002 to 1007 are respectively connected to 
efferent networks and perform packet sending/receiving, 
3;, the second illustrative embodiment, an IP protocol (IPv4 

~P version 4) ) is used as the protocol for forwarding 
packets. The present invention is, however, applicable to 
other network layer protocols such as, for example IPv6 (IP 
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version 6) . While the router 1000 is used as the packet 
c : mmunications apparatus in the second illustrative 
embodiment, the present invention is applicable to other 
t] pes of pacJcet communications apparatus such as a LAN 
s i ;' k tch . 

FIG. 11 is a structural diagram of one of the 
filtering units 1012 to 1017. 

A filtering unit, any of 1012 to 1017, comprises a 
filtering table 1101 and a packet processor 1102. The 
f ; Itering table contains information used for judgment as 
to whether to forward or discard a packet. The packet 
p: ocessor 1102 discards a packet or transfers it to the 
p; oket forwarding unit 1001, according to the information 
contained in the filtering table 1101. The packet 
transferred to the packet forwarding unit 1001 is further 
t: ansf erred to one of the BUYS . IFs 1002 to 1007, Each 
f ; Itering table 1101 is connected with the PDCF 1009 and the 
contents of the table 1101 can be changed as directed by the 
PI CF 1009. 

FIG . 12 illustrates a filtering table 1101 and 
entries (l) . 

The filtering table 1101 contains information used 
for judgment as to whether to forward or discard a packet 
a] d entries in an destination address condition field 1201, 
e* source address condition field 1202 , and a forward/discard 



-30- 



f ] ag field 1203 - In the destination address condition field 
1101 and the source address condition field 1202, an IP 
address or data representing an "arbitrary" address is 
registered. In the forward/discard flag field 1203, 
information is registered to indicate whether to forward or 
discard a packet received whose destination address and 
source address match the destination address condition and 
tl source address condition. If a packet meets a plurality 
o: entries of address information, the top one out of the 
emeries applies to tlie packet. For a packet not meeting any 
entry, the filtering unit transfers it to the packet 
forwarding unit 10 01. 

The PDCF 1009 communicates with a server for 
c thentication 1311 via a network and receives a directive 
t change filtering from the server for authentication 1311. 
Y ;ile telnet is assumed as the communication protocol in the 
£< :cond illustrative embodiment, other protocols such as 
K'JTP and Common Open Policy service (cops) may be used. The 
directive to change filtering includes information to be 
registered or deleted on a target entry line and a directive 
t. \ add/delete it. The PDCF 1009 reflects the directive in 
';-ie filtering table of the filtering unit, any of 1012 to 
;\\)17, corresponding to the PHYS . IF, any of 1002 to 1007, 
connected to the subnet to which the specified IP address 



contained in the source address condition field 2202 
bs J ongs . 

FIG „ 13 is a topological schematic diagram of a 
network system in which the router 1000 is used. 

The present network system, for example, includes 
subnets A to F, 1302 to 1307, respectively connected to the 
*'S- IFs 1002 to 11007 of the router 1000; a server for 
authentication 1311 connected to subnet A 1302; a file 
server 1322 connected to subnet B 1303; a plurality of 
n< Lwork ports 409 respectively linked to subnets C to F , 1304 
t( 1307, allowing end users to freely connect their terminal 
tJ fjreto; and a representative user terminal 1333 connected 
v: a a network port 409 to subnet C 1304* 

Jn the initial state, nothing is registered in the 
f .tering tables 1101 of the filtering units A 1012 and B 
1013 of the router 1000. In the filtering tables 1001 of 
the filtering units C to F, 1014 to 1017, the same contents 
a. illustrated in FIG . 12 are set. 

Then, in the present network system, assume that the 
x. ar terminal 13 3 3 has been connected to the network port 
4 3 connected to the subnet C 1304, This case will be 
d scussed below. 

FIG. 14 is a diagram of communication sequence after 
the user makes the connection of the user terminal 1333 to 
the network port 409. 
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To access the file serer 1322, the user terminal 
1* 33 that is not yet user-authenticated sends a packet 1401 
addressed to the file server, that is, with its destination 
address being the IP address (192. 168.2-2) of the file 
server 1322. In this case, the packet 1401 is transferred 
via the PHYS . IF-C 1004 of the router 1000 to the filtering 
u:,it c 1014. In the filtering table 1101 of the filtering 
ui it C 1014, as illustrated in PIG. 12, entry #2 exists, on 
tr*e line of which the content of the destination address 
condition field 1201 matches the destination address 
i-tcluded in the packet 1401. The filtering unit C 1014 
x ifers to entry #2 in the filtering table 1101 and looks up 
the contents of the associated source address condition 
field 1202 and forward/discard flag field 1203, The content 

0 , the forward/discard flag field 1203 on the entry #2 line 

1 t the filtering table 1101 indicates "discard." Thus, the 
1 .Itering unit C 1014 discards the packet 1401, according 
to the contents of the filtering table 1101. In consequence, 
t ie packet 1401 sent f roirt the unauthenticated user terminal 
1333 does not arrive at the file server 1322. 

Next, a procedure in which the user terminal 133 3 
is user-authenticated and permitted for access to the file 
server 1322 will be explained- 

To gain authentication, the user terminal 1333 
s snds a packet 1402 with its destination address being the 



IE address (192.168.1.1) of the server for authentication 
1311. The packet 1402 is received by the PHYS . IF-C 1004 
or the router 100 and transferred to the filtering unit C 
It 14 . The filtering unit C 1014 searches the filtering table 
11Q1 for a match with the packet 1402. In this case, the 
contents of the address condition fields 1201 on both lines 
ot entries #1 and #2 in the filtering table 1101 match the 
destination address included in the packet 1401. 

Of these entries registered in the table, the top 
one, namely entry #1 applies to the packet 1402. The content 
of the forward/discard flag field 1203 on the line of entry 
#: in the filtering table 1101 indicates "forward." Thus, 
t} 13 filtering unit C 1014 which referred to the filtering 
t< ble 1101 and entry #1 transfers the packet to the packet 
forwarding unit 1001, according to the content of the 
f i rward/discard flag field 1203 , The packet forwarding unit 
l )1 forwards the packet 1402 through the PHYS. IF-A 1002 
to the server for authentication 1311, Thereby, a 
communication path from the user terminal 403 to the server 
f r authentication 1311 has now been established. 

A reply packet 1403 sent from the server for 
a- thentication 1311 to the user terminal 133 is received by 
t-\e PHYS. IF * A 1002 and transferred to the filtering unit 
A L012, The filtering table 1101 of the filtering unit A 
1012 has no entries registered. Thus, the filtering unit 
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A J012 transfers the packet 1403 to the packet forwarding 
uvit 1001, 

The packet forwarding unit 1001 sends the packet 
II v3 through the PHYS - IP-C to the user terminal 1333. 
Tr.fsreby a bidirectional communication path between the user 
terminal 1333 and the server for authentication 1311 has now 
been established so that the user of the user terminal 1333 
can gain authentication from the server for authentication 
1711 . 

The packet 1403 requests the user terminal 1433 to 
s=;id user ID and password. Thus, the user inputs user ID 
ar 'i password to the user terminal 1333 which received the 
p= ;:ket 1403. A packet 1404 including the input user ID and 
pj. - sword is sent from the user terminal 1333 to the server 
for authentication 1311. The packet 1404 is forwarded by 
the router 1000 as described above and received by the server 
f ■: r authentication 1311. On the server for authentication 
1 2 1.1, if the user ID and password included in the packet 1404 
s • at from the user terminal 1333 matches those that it holds 
as those of the user authorized to make networking 
ccnnection/ the server communicates with the PDCF 1009 of 
t/.a router 1000 and issues a directive 1405 to add an entry 
line to the filtering table 1101 and register "arbitrary" 
into the destination address condition field 1201, 
"3 92 . 168 . 3 - 3 , " namely, the IP address of the user terminal 
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1333, into the source address condition field, and "forward" 
into the forward/discard flag field 1203. 

FIG, 15 illustrates the filtering table 1101 and 
entries (2) . 

Since the subnet (subnet C 13 04) to which the source 
aadress condition "192 . 168 . 3 * 3 11 specified by the directive 
f 3 om the server for authentication 1311 belongs is connected 
to the PHYS. IF-C 1004, the PDCF 1009 adds an entry line and 
Xi gisters those specified by the directive to the filtering 
Uble 1101 of the filtering unit C 1014. As a result, a new 
entry #1 line is added to the filtering table 1101 of the 
filtering unit c 1014 and the filtering table 1101 contains 
three sets of entries numbered # 1 to #3 as illustrated in 
f:u. is, 

After that, when the user terminal 1333 sends a 
packet 1406 addressed to the file server 1322, the source 
at dress included in the packet 1406 matches the source 
ai dress condition on the line of entry #1 in the filtering 
table 1101 of the filtering unit c 1014. Thus, the packet 
1406 is transferred from the filtering unit c to the packet 
forwarding unit 111 and forwarded to the file server 1322. 
I? consequence, the user terminal 1333 becomes possible to 
access the file server 1322. 

As described above, by using the router 1000, a 
nt twork system can be built that refuses access to the file 



server 1322 from a user terminal 1333 that is not yet 
u&er~ authenticated by the server for authentication 1311; 
only after being user -authenticated, the user terminal 1333 
is permitted to access the file server 1322. The PHVS * IFs 
1002 to 1007 of the router 1000 each can accommodate a 
plurality of network ports 409. Moreover/ the router has 
discrete filtering units per PHYS . IF so that the filtering 
lead on the router 1000 can be distributed. 

FIG. 16 is a structural diagram of a packet 
c: nmunications apparatus configured in accordance with a 
further preferred embodiment (third illustrative 
embodiment) of the present invention . 

A LAN switch 1600 as the packet communications 
apparatus, for example, comprises a packet forwarding unit 
If 01, a plurality of network interfaces (NIFs) 1602 to 1605, 
a learned address table 1606, a filtering table 1607 and a 
processor for directive packets to change state (pdfcs) 
1;0S. The NIFs 1602 to 1605 are assigned respective names 
to D as shown) for their unique identification, instead 
of. the names, numbers or the like may be used if the NIFs 
can uniquely be identified by them. 

These NIFs 1602 to 1605 are respectively connected 
tc different networks and perform packet sending/receiving. 
Tfcfc networks are assumed compliant to 8 02,3 networks 
pz^scribed by the IEEE. In the following description, the 



N7F-A 1602 will be referred to as an "uplink" one and the 
NIFs B to D, 1603 to 1605 as "downlink" ones. 

The packet forwarding unit 1601 performs forwarding 
of packets from a network to another network, according to 
the information held in the learned address table 1606 and 
filtering table 1607. The PDPCS 1608 receives a directive 
packet to change state from a server for authentication 
wl ich will be described later and updates the contents of 
the filtering table 1607 and learned address table 1606 , The 
directive packet to change state includes IP address and 
information indicating "permission/inhibition, " 

fig. 17 illustrates a filtering table 1607 and 

e : tries . 

In the filtering table 1607, information for 
identifying a packet not permitted to be forwarded is 
registered. The filtering table 1607 contains entries in 
a *iAC address field 1701, an IP address field 1702, and a 
connection port field 1703. In the MAC address field 1701. 
a MAC address for which filtering is applied is registered. 
Ii\ the IP address field 1702, the IP address associated with 
t^-.e MAC address is registered. In the connection port field, 
1703, the name of the NI£\ any of 1602 to 1605, connected 
tc a network to which the user terminal having the MAC 
a: dress belongs is registered. 
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FIG » 18 illustrates a learned address table 1606 and 
entries (1) - 

In the learned address table 1606, information 
about the NIF through which a packet is forwarded is 
registered. The learned address table 1606 contains entries 
in a MAC address field 1801 and a connection port field 1802 - 
In the MAC address field 1801, a MAC address that must exist 
in a packet to be forwarded is registered. In the connection 
pert field 1802, the name of the NIF, any of 1602 to 1605 , 
ti rough which the LAN switch is to forward a packet including 
it s destination MAC address that matches the content of the 
Mi C address field is registered. Arrangement is made so that 
aj entry that was not being referred to for a predetermined 
twne is automatically deleted from the learned address table 
1606 . 

Then, using a network system as will be shown in FIG. 
1! as an example, the operation of the network system in 
which the LAN switch 1600 is used will be described below. 

FIG* 19 is a topological schematic diagram of the 
network system in which the LAN switch 1600 is used. 

The present network system, for example, comprises 
the LAN switch 1600 ; networks A to D, respectively connected 
to the NIFs 1602 to 1605 of the LAN switch 1600; a plurality 
of network ports 4 09 linked via one of the networks B to D 
tr one of the downlink NIFs B to D, 1603 to 1605, allowing 
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end users to freely connect their terminal thereto; a 
representative user terminal 1905 connected via a network 
pert 409 to the network B; a router 1904 connected via the 
network A to the uplink NIF-A; and a file server, a DHCP 
server 1903, and a server for authentication 1901 connected 
via a network to the router 1904- 

The router 1904 has a Boot? relay agent function and 
performs packet forwarding, based on the IP protocol- The 
DHCP server 1903 leases an IP address to a user terminal , 
base on the DHCP protocol. The server for authentication 
1901 sends notice of the result of user authentication in 
a directive packet to change state to the LAN switch 1600. 

In the present network system, each unit of 
eq ; ipment connected to a specific network is assigned an IP 
a 1 xress belonging to the network (IP address designation as 
shown) , A physical address (hereinafter represented as a 
MAC address) is set for the interface of each unit of 
equipment connected to a specific network- "MAC address" 
designation as shown will be referenced if necessary in the 
following description. 

Then, assume that the user terminal 1905 has now 
been connected to the network port 4 09 of network B. This 
ca *e will be discussed below. 



FIG - 20 is a diagram of communication sequence after 
the connection of the user terminal 19 05 to the network port 
4T9 of network B - 

in the initial state, nothing is registered in the 
filtering tables 1607 of the LAN switch 1600. The learned 
address table 1606 has one set of entries: MAC address 
(12:22:00:44:44:44) of the router 1904 in the MAC address 
fi«ald 1801 and the name of the NIF-A 1602 in the connection 
port field 1802. 

After the connection to the network port 409, first, 
tt e user terminal 1905 sends an address request packet 2001 
f ; r requesting the assignment of an IP address to it by 
ft llowing the ©HCP protocol . In this case, the user terminal 
li US Bends the packet 2001 having a broadcast address as the 
d< utination address. The packet 2001 is received by the 
NW/-B 1603 of the LAN switch 1600 and transferred to the 
packet forwarding unit. 

When the LAN switch 1600 receives the packet 2001, 
a process of forwarding the packet begins, which will be 
explained below, 

FIG . 21 is a flowchart illustrating how the packet 
forwarding unit 1601 of the LAN switch 1600 forwards the 
packet received. 

Upon receiving the packet 2 001, the packet 
forwarding unit 1601, which is abbreviated to PFU 
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hereinafter, searches the learned address table 1606 for a 
registration matching the destination address of the packet 
2001 (step 2101) » Since the destination address is not 
registered in the learned address table 1606, the PPU judges 
whether the destination address is a broadcast address (step 
2102) , Since the destination address is a broadcast 
address, the pfu judges whether the receiving port is uplink 
(step 2103) . Since the receiving port is NIF-B 1603 that 
is not uplink, the PFU searches the learned address table 
I S06 for a registration matching the source address of the 
jacket 2001 (step 2104) . The source address, the MAC address 
122 : 22 :FF : 00 : 00 : 01) of the user terminal 1905 is not 
registered in the learned address table, since that address 
is not registered in the filtering table 1607 as well, the 
PFU 1601 registers the MAC address ( 22 : 22 ; FF : 00 : 00 : 01) of 
t ie user terminal 1905 into the MAC address field 1701 on 
c le entry line in the filtering table 1607 (step 2105). 

In this case, as illustrated in FIG. 17 , the 
fallowing are registered on the entry line in the filtering 
t^.ble 1607; information "unregistered" in the IP address 
fxeld and U B" as the name of NIF-B 1603 in the connection 
port field 1703. 

Then, the PFU 1601 forwards the packet 2001 to the 
uplink only, thus sending it to the router 1904 (step 2105) . 
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Because the packet 2001 is the address request 
packet, it is forwarded to the DHCP server 1903 by the BootP 
relay agent function of the router 1904- 

Referring to FIG. 20, an address leasing packet 2002 
:1s sent back from the DHCP server 1903 to the router and 
lurther sent to the destination MAC address 

22:22: FF : 00 : 00 : 01) of the user terminal 1905, by the BootP 
r alay agent function of the router 1904. 

The packet 2002 is received by the NIF-A 1602 of the 
WJW switch 1600 and transferred to the PFU 1601. The PFU 
1601 begins the process of forwarding the packet 2002, 
according to the flowchart shown in FIG. 21. The PFU 1601 

- arches the learned address table 1606 for a registration 
r itching the destination address of the packet 2 002, namely, 
;:e MAC address {22 : 22 : FF : 00 : 00 : 01) of the user terminal 
l )05 (step 2101) . Since the destination address is not 
registered in the learned address table 1606 , the PFU judges 
vuether the destination address is a broadcast address {step 
2102) . Since the destination address is not a broadcast 
address, the PFU searches the filtering table 1607 for a 
registration matching the destination address (step 2106) . 
Bmce the MAC address of the user terminal 1905 is registered 
ir* the filtering table 1607, the PFU judges whether the 
receiving port is uplink (step 2107) . since the receiving 
pert of the packet 2002 is NIF-A 1602 that is uplink, the 
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PFU judges whether the communication protocol of the packet 
2002 is IP protocol (step 2108) . Since the communication 
protocol is IP protocol, the PFU judges whether the source 
IP address included in the packet 2002 is the IP address of 
the relay agent {router 1904) or the server for 
authentication (step 2109) . Since the source IP address is 
the IP address of the relay agent (router 1904) , the PFU 1601 
forwards the packet 2002. In this case, the PFU 1601 refers 
to the filtering table 1607, entry #1, on the line of which 
tie content of the MAC address field 1701 matches the 
destination address of the packet 2002. Since the 
connection port field 1703 on the entry #1 line contains a 
registration, the name of NIF-B1603, the PFU 1601 forwards 
tie packet 2002 to the NIF-B 1603 and the packet is sent 
through the NIF-B 1603 (step 2110) . Thereby, the address 
leasing packet 2002 is sent to the user terminal 1905- Now, 
assume that IP address " 192 . 168 . 5 . 1 M has just been leased 
t » the user terminal 1905 from the DHCP server 1903. 

Then / a case where access to the file server 1902 
is attempted from the user terminal 19 05 that is not yet 
user- authenticated by the server will be discussed below, 
wKerein the IP protocol is used for the access. 

In the network system shown in PIG. 19, the file 
server 1902 (IP address 192-168.1.2) and the user terminal 
1905 (IP address 192.168.5.1) are separately connected to 
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different subnets. Thus, a packet 2003 that the user 
terminal 1905 sends the file server 1902 for accessing the 
server includes the IP address (192,168-1.2) of the file 
rerver 1902 as the destination IP address and the MAC address 
(22:22:00:44:44:44) of the router 1904 as the destination 
MAC address. The packet 2003 is sent from the user terminal 
1905 and received by the NIF-B 1603 of the LAN switch 1600. 
The NIF-B transfers the received packet 2003 to the PFU 1601 . 

After the LAN switch 1600 receives the packet 2 003, 
fc.c»w its PFU 1601 carries out the process of forwarding the 
packet will be explained below, using the flowchart shown 
_ i FIG. 21. 

Upon receiving the packet 2003, the PFU 1601 
searches the learned address table 1606 for a registration 
m itching the destination MAC address of the packet 2003 
1 tep 2101) . The destination address, the MAC address of 
t. ;e router 1904 is registered in the learned address table 
1-.06. Thus, the PFU 1601 makes sure whether the 
communication protocol of the packet 2003 is IP protocol and 
wkather the source MAC address included in the packet 2003 
is registered in the filtering table 1607 (step 2111) - The 
communication protocol of the packet 2003 is IP protocol and 
the source MAC address, the MAC address of the user terminal 
IS OS is registered in the filtering table 1607. Thus, the 
PI it 1601 registers the source IP address included in the 
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packet 2003 into the IP address field 17 02 on the entry line 
on which the MAC address of the user terminal 19 05 has been 
registered in the filtering table 1607 (step 2111) . in this 
;ase, originally, information "unregistered" has been 
registered in the IP address field 1702 on the entry line 
cn which the MAC address of the user terminal 1905 has been 
registered in the filtering table 1607 as illustrated in 
FIG. 17. Consequently, that information is replaced by the 
source IP address included in the packet 2003. The source 
IP address included in the packet 2 003 is the IP address 
{192 . 168 . 5 . l) leased to the user terminal 1905 from the DHCP 
£ »rver 1903 . 

Then, the PFU 16 01 forwards the packet 2 0 03 to the 
uy link, according to the content of the connection port 
field 1802 on the entry line on which the destination MAC 
address has been registered in the learned address table 
lb06- The packet 2003 is sent to the router 1904 through 
the uplink. The router 1904 forwards the packet 2003 to the 
file server 1902, pursuant to the IP protocol 
sp^ cif ications . 

Upon receiving the packet 2003, the file server 1902 
sends a reply packet 2004 including data requested by the 
use r terminal 1905 - The router 19 04 receives the packet 2 0 04 
and forwards it to the LAN switch 1600. The NIF-A 1602 of 
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the LAN switch 1600 receives the packet 2004 and transfers 
it: to the PFU 16 01- 

After the LAN switch 1600 receives the packet 2004, 
how its PFU 1601 carries out the process of forwarding the 
packet will be explained below f according to the flowchart 
shown in FIG. 21- 

The packet 2004 includes the MAC address 
(22 ; 22 : FF : 00 ; 00 : 01) of the user terminal 1905 as the 
destination MAC address, the IP address (192.168-5.1) of the 
user terminal 1905 as the destination IP address and the IP 
address (192.168.1-2) of the file server 1902 as the source 
i: address. 

First, the PFU 1601 searches the learned address 
tc-ble 1606 for a registration matching the destination MAC 
address of the packet 2004 (step 2101) . Since the 
destination MAC address is not registered in the learned 
actress table 1606, the PFU judges whether the destination 
MAC address is a broadcast address (step 2102) . Since the 
destination MAC address is not a broadcast address, the PFU 
searches the filtering table 1607 for a registration 
matching the destination MAC address (step 2106) . Since the 
MAC address of the user terminal 1905 is registered in the 
filtering table 1607, the PFU judges whether the receiving 
port is uplink (step 2107) . Since the receiving port of the 
packet 2004 is NIF-A 1602 that is uplink, the PFU judges 
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whether the communication protocol of the packet. 2 004 is IP 
protocol (step 2108) , Since the communication protocol is 
IP protocol, the PFU judges whether the source IP address 
included in the packet 2004 is the IP address of the relay 
agent (router 1904) or the server for authentication (step 
iX09) . Since the source IP address is the IP address of the 
file server 1902 , the PFU discards the packet 2004 (step 
2109) . In fact, the packet 2004 is not sent from the LAN 
switch 1600 to the user terminal 1904. Consequently, the 
£, jcess from the user terminal 1905 to the file server 1902 
iti unsuccessful. 

Next, a procedure in which the user terminal 1905 
is user- authenticated by the server for authentication will 
be explained below. 

To gain authentication by the server for 
authentication 1901, the user inputs user ID and password 
to Che user terminal 1905. The user terminal 1905 sends the 
sower for authentication 1901 a packet 2005 including the 
input user ID and password- In this case, the server for 
authentication (IP address 192.168.1.1) and the user 
teimxnal 1905 (IP address 192.168,5.1) separately belongs 
to different subnets. Thus, the packet 2005 includes the 
IP address (192-168.1.1) of the server for authentication 
19CI as the destination IP address and the MAC address 
(22 22 ; 00 : 44 : 44 : 44) of the router 1904 as the destination 
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MAC address. The packet 2005 is sent from the user terminal 
1905 and received by the NIF-B 1603 of the LAN switch 1600. 
The nif-B transfers the received packet 2005 to the PFU 1601 « 
After the LAN switch 1600 receives the packet 2005, 
how its PFU 1601 carries out the process of forwarding the 
packet will be explained below, using the flowchart shown 
in FIG - 21. 

Upon receiving the packet 2 005, the PFU 16 01 
searches the learned address table 1606 for a registration 
matching the destination MAC address of the packet 2005 
(step 2101) . The destination address, the MAC address of 
the router 1904 is registered in the learned address table 
1606, Thus, the PFU 1601 makes sure whether the 
communication protocol of the packet 2005 is IP protocol and 
whether the source MAC address included in the packet 2005 
is registered in the filtering table 1607 (step 2111) . The 
communication protocol of the packet 2005 is IP protocol and 
the source MAC address, the MAC address of the user terminal 
15 05 is registered in the filtering table 1607. Moreover, 
ths source IP address included in the packet 2005 is also 
registered in the filtering table 1607. Thus, the PFU 1601 
forwards the packet 2005 to the uplink, according to the 
coatent of the connection port field 1802 on the entry line 
on which the destination MAC address has been registered in 
the learned address table 1606. The packet 2005 is sent to 
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the router 19 04 through the uplink. The router 19 04 forwards 
the packet 2005 to server for authentication 1901, pursuant 
to the IP protocol specifications. 

On the server for authentication 1901, if t are 
those that it holds as those of the user authorized to use 
networking service, the server he user ID and password 
included in the packet 2005 sent from the user terminal 1905 
sends a directive packet to change state, addressing it to 
^ne PDPCS 1609 of the LAN switch 1600. The directive packet 
tj change state 2006 includes the IP address (192.168,5.1) 
of the user terminal 1905 and information "permission. " The 
r >uter 1904 forwards the directive packet to change state 
2u06 to the DAN switch 1600 . The NIF-A 1602 of the LAN switch 
1600 receives the directive packet to change state 2006 and 
transfers it via the PFU 1601 to he PDPCS 1608. Upon 
receiving the directive packet to change state 2006, the 
p:?CS 1608 searches the filtering table 1607 for the IP 
acJress (192.168.5.1) included in the packet 2006. After 
starching out the IP address (192.168.5.1) entry from the 
filtering table 1607, the PDPCS 1608 reads the associated 
MAC address (22 ; 22 : FF : 00 ; 00 : 01) and connection port name 
(B) on the entry line from the MAC address field 1701 and 
connection port field 1703, The PDPCS 1608 adds a new entry 
lir.e to the learned address table 1606 and registers the 



a^ove MAC address and connection port name into the 
respective fields on the entry line. 

FIG. 22 illustrates the learned address table 1606 
and entries (2) . As illustrated in FIG. 22, the learned 
ci idress table 1606 includes entry #2 and new entries of MAC 
address (22 : 22 : FF : 00 : 0 0 ; 01) and connection port name (B) , 

After being user- authenticated by the server for 
authentication 1901, when the user terminal 1905 sends a 
packet 2007 to the file server 1902 again for accessing the 
server, the packet 2007 is forwarded via the LAN switch 1602 
and the router 1904 and sent to the file server 1902. 

Upon receiving the packet 2007, the file server 1902 
Sf n ds back a reply packet 2008 including data requested by 
tf e user terminal 2905. The router 1904 receives the packet 
2<D8 and forwards it to the LAN switch 1600. The NIF-A 1602 
ol the LAN switch 1600 receives the packet 2008 and transfers 
it to the PFU 1601. Upon receiving the packet 2 008, the PFU 
1601 carries out the process of forwarding the packet in 
accordance with the flowchart shown in FIG. 21, which will 
be explained below. 

The packet 2008 includes the MAC address 
(2 * : 22 : FF: 00 : 00 : 01) of the user terminal 1905 as the 
destination MAC address, the IP address (192.168.5.1) of the 
us^r terminal 1905 as the destination IP address, and the 
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IP address (192.168.1.2) of the file server 1902 as the 
source IP address. 

The PFU 1601 searches the learned address table 1606 
for a registration matching the destination MAC address of 
che packet 2 008, namely, the MAC address of the user terminal 

1 905 (step 2101) . Because the destination MAC address is 
Che MAC address (22 :22 :FF: 00 : 00 : 01) of the user terminal 
1905, it is registered in the learned address cable 1606 as 
illustrated in FIG . 22. Thus, the PFU 1601 makes sure 

w iether the communication protocol of the packet 2008 is IP 
protocol and whether the source MAC address included in the 
packet 2008 is registered in the filtering table 1607 (step 

2 11) . Since the communication protocol of the packet 2008 
ii IP protocol, bun the source MAC address, the MAC address 
oi the router 1904 is not registered in the filtering table 
1607, the PPU registers nothing into the filtering table 
1607. Then, the PFU 1601 forwards the packet 2008 to the 
NXF-B 1603, according to the content of the connection port 
fx ?ld 1802 on the entry line on which the destination MAC 
address has been registered in the learned address table 
1606. The packet 2008 is sent to the user terminal 1905 
through the NIF-B 1603. Thereby, an access path from the 
US'ur terminal 1905 to the file server 1902 has been 
established. 
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After being user-authenticated, if the user 
terminal 1905 remains not communicating with the file server 
f 'r a predetermined time, the entry (entry #2) is 
automatically deleted from the learned address table 1606. 
Consequently, the user terminal 19 05 becomes impossible to 
access the file serer 1902 and continues to be impossible 
until it is user-authenticated by the server for 
authentication again. The DHCP server 1903 leases an 
address and usually a time limit of using the lease address 
i* set, On the elapse of a predetermined time after the DHCP 
s* rver 1903 leases an address to the user terminal 1905, when 
t A .3 time limit of using the address expires, the DHCP server 
1903 sends the server for authentication 1901 notice of 
timeout 2009- Upon receiving the notice of timeout 2009, 
t..t u server for authentication sends a directive packet to 
cl: iage state 2010 including the IP address (192 .168,5.1 in 
t^: is case) whereof the time limit of use expires and 
in :ormation "inhibition," 4 addressing it to the PDPCS 1608 
o:! the LAN switch 1600. The router 1904 forwards the 
directive packet to change state 2010 to the LAW switch 1600. 
The NIF-A 1602 of the LAN switch 1600 receives the directive 
packet to change state 2010 and transfers it via the PFU 1601 
to the PDPCS 1608. Upon receiving the directive packet to 
change state 2010, the PDPCS 1608 searches the filtering 
table 1607 for the IP address (192,168.5.1) included in the 



-53- 



packet 2 010. After searching out the IP address 
(192.168.5 .1) entry from the filtering table 1607, the FDPCS 
1608 reads the associated MAC address (22:22: FF: 00:00:01) 
ca the entry line from the MAC address field 1701. 
F arthermore , the PDpcs 1608 searches the learned address 
table 1606 for the above MAC address and finds out the MAC 
address entry. From both the filtering table 1607 and the 
learned address table 1606, the PDPCS 1608 deletes the line 
or the entry it searched out- In consequence, the user 
terminal 1905 becomes impossible to access the file server 
1902 and continues to be impossible unless it is user- 
a 1 .thenticated again. 

As described above, by using the LAN switch 1600, 
a network system can be built that prevents an 
unauthenticated user terminal 1905 from accessing the file 
se rver 1902, whereas permits an authenticated user terminal 
1^05 to access the file server 1902- If a user terminal 
connected to a network port remains in a non- communicating 
status for a predetermined time, and if the time limit of 
using the address leased to a user terminal expires, the 
taole in the LAN switch 1600 is automatically modified to 
disable the terminal in networking use so that the LAN switch 
can prevent the user terminal from accessing the file server 
1902 until it is user-authenticated again. 
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FIG. 23 is a topological schematic diagram of a 
network system in which, a router 23 00 is used as the packet 
communications apparatus . 

The router 2300, for example, comprises a plurality 
Ou: STIFs A to D, 2302 to 2305, a packet forwarding unit (PFU) 
2J01, and an IP address registration table 2306. 

The PFU 2301 performs packet forwarding, pursuant 
to the IP protocol- The PFU 23 01 encapsulates packets from 
a user terminal having an IP address not registered in the 
I address registration table 2306. The NIFs A to D, 2302 
t< : 2305 are respectively connected to different networks and 
pi rform packet sending/receiving. In the IP address 
Xi gistration table 2306, the IP address of an authenticated 
u^er terminal is registered. 

The present network system, for example, comprises 
the router 2300; a server for authentication 2310 and a file 
Q( rver 2311 connected via network A to the NIF-A 2302 of the 
rruter 2300; a plurality of network ports 409 linked via one 
oi networks B to D to one of the NIFs B to D r 2303 to 2305, 
ai lowing end users to freely connect their terminal thereto; 
a: d a representative user terminal 2312 connected via a 
network port 409 to network B 2313, The server for 
authentication 2310 performs user authentication, notifies 
the router 2300 of the result thereof, and performs 
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6 ending/receiving of encapsulated packets which will be 
described later. 

Then, in the present network system, assume that the 
user terminal 2312 has now been connected to the network port 
409 connected to network B 2313 . This case will be discussed 
b jIow . 

FIG. 27 illustrates the IP address registration 
t ble 2306 and entries in the initial state. FIG. 24 is a 
diagram of communication sequence after the user makes the 
c mection of the user terminal 2312 to the network port 409 - 

To access the file serer 2311, the user terminal 
2312 that is not yet user-authenticated sends a packet 2400, 
addressing it to the IP address (192.168.10.2) of the file 
St ever 2311. 

In this case, the packet 2400 is received by the 
N'.P-B 2303 of the router 2300 and transferred to the PFU 
2: 01. The PFU 2301 receives the packet 2400 from the user 
terminal 2312 and begins the process of forwarding the 
packet + 

FIG. 25 is a flowchart of how the PFU 2301 of the 
router 2300 forwards a packet. 

Upon receiving the packet 2400, the PFU 2301 judges 
whether the destination address of the packet 2400 is the 
address for encapsulation of the router 2300 (step 2501) , 
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The destination address of the packet 2400 is the IP address 
of the file server 2311, not the address for encapsulation 
of the router. Then, the PFU searches the IP address 
registration table 2306 to judge whether the source address 
ot the packet 2400 has been registered in the table (step 
2b02) . Since the source address, the IP address of the user 
terminal 2312 is not registered in the IP address 
registration table 2306, the PFU 2301 encapsulates the 
packet 2400 (step 2503) . 

Hereupon, encapsulation is specifically that the 
PFU regards the entire packet 2400 including its IP header 
a* one data and to the data, attaches another IP header 
specifying the address for encapsulation (192.168.100-100) 
the server for authentication 2310 as the destination 
ad Jress and the address for encapsulation (192,168.100-101) 
of the router 2300 as the source address, thus generating 
a new packet (encapsulated packet) , Consequently, the 
encapsulated packet is sent to the server for authentication 
2301, no matter what is the original destination address 
(e,g., the IP address of the file server 2311) (step 2504) . 

Now, how the server for authentication 2310 handles 
th^ encapsulated packet it received will be explained, 

FIG . 26 is a flowchart illustrating how the server 
for authentication 2310 handles a packet it received. 
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Upon receiving the encapsulated packet, the server 
f >r authentication 2319 , which is abbreviated to SV-AUTH 
hereinafter, judges whether the destination address of the 
packet is the address for encapsulation of the SV-auth (step 
2G01) - Since the destination address of the encapsulated 
packet is the address for encapsulation of the SV-AUTH, the 
S\ -AUTH judges whether the source address of the packet is 
the address for encapsulation of the router 23 0 0 (step 
26 02) . since the source address is the address for 
ei capsulation of the router, the SV-AUTH decapsules the 
received packet and recovers the original packet 2400 (step 
2603) - Decapsuling is specifically that the SV-AUTH removes 
the IP header from the encapsulated packet, thus taking back 
ti e packet 2400 before being encapsulated, equivalent to the 
d£ ta included in the encapsulated packet. 

Then, the SV-AUTH 2310 judges whether the 
destination address of the decapsuled packet 2400 is the IP 
actress of the SV-AUTH (step 2604) . The destination address 
of the packet 2400 is the IP address of the server 2311, not 
the IP address of the SV-AUTH 2310. Thus, the SV-AUTH 2310 
discards the packet 2400. 

In consequence, the unauthenticated user terminal 
2J 12 cannot access the file server 2311- 
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Then, a procedure in which the user terminal 2312 
is user- authenticated by the SV-AUTH 2310 will be explained 
below, using FIGS . 24 and 25, 

To gain authentication by the SV-AUTH 2310, the user 
inputs user ID and password to the user terminal 2312. The 
Uier terminal 2312 sends the SV-AUTH 2310 a packet 2401 
including the input user ID and password. The packet 2401 
is received by the NIF-B 2303 of the router 2300- The NIF-B 
2303 transfers the received packet 2401 to the PFU 2301. 

Upon receiving the packet 2401, the PFU 23 01 of the 
router 2 3 00 carries out the process of forwarding the 
pi cket, which will be explained below, using the flowchart 
shown in FIG. 25. 

Upon receiving the packet 2401, the PFU 2301 judges 
Aether the destination address of the packet 2401 is the 
address for encapsulation of the router 2300 (step 2501) . 
The destination address of the packet 2401 is the IP address 
of the SV-AUTH 2310, not the address for encapsulation of 
tls router- Then, the PFU searches the IP address 
registration table 2306 to judge whether the source address 
of the packet 2401 has been registered in the table (step 
2f» C2) . Since the source address, the IP address of the user 
ti? rminal 2312 is not registered in the IP address 
registration table 2306, the PFU 2301 encapsulates the 
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jcacket 2401 (step 2503) . Then, the PFU 2301 sends the 
encapsulated packet to the SV-AUTH 2310 (step 2504) . 

As illustrated in FIG. 26, upon receiving the 
encapsulated packet, the SV-AUTH 2310 judges whether the 
destination address of the packet is the address for 
encapsulation of the SV-AUTH (step 2601) . since the 
destination address of the encapsulated packet is the 
address for encapsulation of the SV-AUTH , the SV-AUTH judges 
vv ether the source address of the packet is the address for 
ei capsulation of the router 2300 (step 2602) . Since the 
source address is the address for encapsulation of the 
r< uter, the SV-AUTH decapsules the received packet and 
recovers the original packet 2401 (step 2603) . Then, the 
SV-AUTH 2310 judges whether the destination address of the 
decapsuled packet 2401 is the IP address of the SV-AUTH (step 
26 D4) . Since the destination address of the packet 2401 is 
the IP address of the SV-AUTH 2310, the SV-AUTH carries out 
authentication (step 2605) . In the authentication step, the 
SV-AUTH 2310 compares the user ID and password included in 
tlx j packet 2401 with those that it holds as those of the user 
authorized to use networking service for a match. If the 
match is made certain, the SV-AUTH generates a packet 2402 
for notice of successful user authentication of the user 
terminal 2312 r encapsulates the packet 2402 and sends it 
back (step 2606) + The packet 2402 has its IP header 
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specifying the IP address of the user terminal 2312 as the 
destination address. Encapsulation by the Sv-AUTH 2310 is 
specifically that the SV-AUTH attaches another IP header 
specifying the address for encapsulation (192.168.100,101} 
of the router 2300 as the destination address and the address 
fcr encapsulation (192.168.100.100) of the SV-AUTH 2310 as 
tte source address to the packet 2402, thus generating a new 
packet (encapsulated packet) . Thus, the encapsulated 
packet is sent to the router 2300. 

The encapsulated packet is received by the nif-a 
2302 and transferred to the PFU 2301. According to the 
flowchart shown in FIG. 25 , the PFU 23 01 judges whether the 
destination address of the received packet is the address 
f c ;r encapsulation of the router (step 2501) . Since the 
destination address is the address for encapsulation of the 
riuter 2300, the PFU judges whether the source address is 
tl & address for encapsulation of the SV-AUTH 2310 (step 
2505) . Since the source address is the address for 
encapsulation of the SV-AUTH 2310, the PFU 2301 decapsules 
the received packet and recovers the original packet 2402 
(step 2506) . Then, the PFU 2301 forwards the packet 2402 
(step 2507), thus sending it to the user terminal 2312. 

Upon the successful authentication of the user of 
V: e user terminal 2312, the SV-AUTH 2310 sends the router 
23 00 a directive packet 2403 to register the IP address 
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(192*166.3.3) of the user terminal 2312 into the IP address 
legistration table 2306, 

The packet 2403 is received by the NIF-A 2302 and 
c ransf erred to the PFU 2301 . Upon receiving the packet 2403 , 
i: :e PFU 2301 registers the IP address (192 .168-3.3) of the 
titer terminal 2312 into the IP address registration table 
y.*06, following the directive in the packet 2403- 

Assume that, after being user- authenticated, the 
user terminal 2312 accesses the file server 2311, and this 
c:ise will be discussed below. 

To access the file server 2311, the user terminal 
2 12 sends a packet 2404, addressing it to the IP address 
( 92.168.10.2) of the file server 2311. The packet 2404 is 
r reived by the NIF-B 2303 of the router 2300 and transferred 
to the PFU 2301. 

As illustrated in FIG. 25, upon receiving the packet 2404, 
the PFU 2301 judges whether the destination address of the 
Pc oket 2404 is the address for encapsulation of the router 
2: 00 (step 2501) . The destination address of the packet 2404 
is the IP address of the file server 2311, not the address 
fr-r encapsulation of tlie router. Then, the PFU searches the 
If address registration table 2306 to judge whether the 
source address of the packet 2404 has been registered in the 
table (step 2502) - Since the source address, the IP address 
of the user terminal 2312 is registered in the IP address 
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.cegistration table 2306. the PFU 2301 of the router forwards 
the packet 2404 (step 2508) , thus sending the packet 2404 
to the file server 2311. 

upon receiving the packet 2404 , the file server 2311 
sends back a replay packet 2405 including data requested by 
the user terminal 2312. The packet 240S is received by the 
&IF-A 2302 and transferred to the PFU 2301. The PFU 2301 
judges whether the destination address of the packet 2405 
is the address for encapsulation of the router 2300 (step 
2 501). The destination address of the packet 2405 is the 
l ? address of the user terminal 2312, not the address for 
encapsulation of the router. Then, the PFU searches the IP 
address registration table 2306 to judge whether the source 
aJdress of the packet 2405 has been registered in the table 
i ^tep 2502). The source address, the IP address 

.92.168.10.2) of the file server 2311 is registered in the 
1 J address registration table 2306. Thus, the PFU 23 01 of 
the router forwards the packet 2405 (step 2508) , thus 
sending the packet 2405 to the user terminal 2312. As 
described above, the user terminal 2312 becomes possible to 
access the file server 2311 after being user-authenticated 
by the SV-AUTH 2310. 

After the successful authentication of the user of 
tc e user terminal 2312, the SV-AUTH 2310 periodically sends 
th^ user terminal 2312 an ICMP echo request 2406 conforming 
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uo the Internet Control Message Protocol (ICMP) . The 
SV-AUTH makes sure that an ICMP echo reply 2407 which is 
reply data to the ICMP echo request 2406 is sent back from 
the user terminal 2312. 

If the ICMP echo reply 2407 is not sent back within 
a predetermined time after sending the ICMP echo request 
2406, the SV-AUTH 2310 sends the route 2300 a directive 
packet to delete the IP address (192.168.3.3) of the user 
terminal 2312 from the IP address registration table. The 
directive packet is received by the NIF-A 2302 and 
transferred to the PFU 2301. Upon receiving the directive 
picket, the PFU 2301 deletes the IP address (192.168.3,3) 
o the user terminal 2312 from the IP address registration 
t ble 230G, following the directive in the packet- In 
C; ^sequence, the user terminal 2312 becomes impossible to 
a cess the file server 2311 and continues to be impossible 
uiicil it is user-authenticated again. 

As described above , by using the router 2 3 00 , a 
network system can be built that prevents an unauthenticated 
uitir terminal 2312 from accessing the file server 2311, 
vitereae permits an authenticated user terminal 2312 to 
ac -ess the file server 2311. Furthermore, the SV-AUTH 2310 
metes sure whether an ICMP echo reply 2407 is periodically 
received from the user terminal 2311. No arrival of an ICMP 
echo reply indicates that the user terminal 2311 is 



disconnected from the network or stops using the network. 
::f this happens, the IP address of the user terminal 2311 
IS automatically deleted from the IP address registration 
table 2 3 06, so that further access from the user terminal 
;:311 to the file service 2311 can be prevented. 

FIG, 28 is a topological schematic diagram of a 
network system wherein a plurality of networks are 
interconnected via a plurality of packet communications 
apparatuses A to C 2801 and a route 2820, 

The present network system, for example, comprises 
t le packet communications apparatuses A to C 2801; the route 
2 i20 connected to the packet communications apparatuses A 
t> C 2801; servers A to C 2803, a filtering status manager 
2*02, and a DHCP server 2807 which are connected to the 
router 2820 via one of separate networks (IP subnets) ; a 
network ports system 283 0 comprising one or more networks 
(: P subnets) linked to one of the packet communications 
ap paratuses A to C 2801; and one or more user terminals 2806 
wi ich is connected to any network in the network ports system 
2 2 1*0, Each of the packet communications apparatuses A to 
C >801 has a learned address 2811, an out-of -authentication 
address table 2812, and an address for authentication table 
2813 and performs forwarding or filtering (discard) of 
packets sent from the user terminal 2806 connected t the 
network ports system 2 830. The packet communications 
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apparatuses A to C 2801 are LAN switches performing packet 
forwarding on the data link layer in the OSI reference model . 
Each of the packet communications apparatuses A to C 2S01 
has a DHCP relay agent function and the IP addresses 
corresponding to the IP subnets linked to it* 

Each of the servers A to C 2803 comprises a user 
authentication unit 2804 and an authentication status 
detector 2805. The user authentication unit 2804 has a user 
u -count table 2840 to contain user identification 
:. iformation. The authentication status detector 2805 has 
a subnet table 2814. The user authentication unit 2804 is 
installed as software implementation to be run on the 
hardware (personal computer) of each of the servers A to C 
2 33 . While a login function provided by the operating 
t stem (OS) of the server is used as the user authentication 
u. Lt 2804 , other authentication means may be used, for 
e: imple, supplying a World Wide Web (WWW) page to prompt the 
ur-*r to enter a password. If there are a plurality of user 
authentication units 2804 in the network system, a common 
mean for user authentication may be implemented for all the 
units or different means for user authentication may be 
implemented for different units. The authentication status 
de.tector 2805 is also installed as software implementation 
tc be run on each of the servers A to c 2803. Whenever the 
Ufc-er authentication unit 2804 completes a procedure of 
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authentication (login) , it notifies the authentication 
status detector 2805 of the IP address of a successfully 
authenticated user terminal. 

The filtering status manager 2802 has a subnet table 
2S14. The filtering status manager 2802 communicates with 
tlie authentication status detector 2805 of each of the 
Servers A to C 2803 and each of the packet communications 
apparatuses 2801 via the networks. 

In the present network system, an end user can 
connect the user terminal (a notebook- size personal 
computer or the like) to any of the one or more networks (IP 
subnets 147.3,1-0 to 147.5.3.0) in the network ports system 
2 '30 so that the user can use the network system. 

In the network system, it is assumed that all 
communication is performed, pursuant to the IP protocol 
(IPv4) . However, the network system may he operated, using 
any other communication protocol (for example, IPv6) . An 
IP subnet number is assigned to each of the networks (IP 
subnets) . It is assumed that all subnet masks are 24 bits 
ii length. a unit of equipment connected to one of the 
networks is assigned the IP address belonging to the 
network. Such IP address is shown as IP address designation 
ix FIG. 28. All the networks are 802.3 networks of CSMA/CD 
type, the specifications thereof being prescribed by the 
IEEE. However, other types of networks may be used as the 
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networks shown. A physical address (hereinafter 
represented as a MAC address) is set for each interface of 
e ich unit of equipment connected to a specific network. MAC 
address designation as shown in FIG. 28 will be referenced 
if necessary in the following description. 

Information setting on each unit of equipment in the 
initial state when no user terminal 2806 is connected to the 
network ports system 2830 will be explained below. 

In the user authentication unit 2904, the user ID 
a, d password of a user authorized to use networking service 
a* 3 registered for all users authorized heretofore. Because 
t: a user authentication (login) function of the server OS 
is used as the user authentication unit 2804, such 
registration information is retained as the user accounts 
2&4 0 under the management of the server OS. In the 
a\ ;hentication status detector 2805 and the filtering 
status manager 2802, the subnet tables 2814 hold current 
settings . 

FIG. 29 illustrates the subnet table 2814 and 

er t:ries - 

The subnet table 2814 contains entries in the 
following fields: subnet address 2901, subnet mask 2902, IP 
address of filtering status manager 2903, and IP address of 
pa:ket communications apparatus 2904, On each entry line, 
t a t field of IP address of packet communications apparatus 
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.2904 contains a registration of the IP address of a packet 
communications apparatus 2801 to which an IP subnet is 
linked that has an address given by the AND of a subnet 
address value registered in the subnet address field 2901 
aid a subnet mask value registered in the subnet mask field 
2302. The field of IP address of filtering status manager 
2:^03 contains a registration of the IP address of the 
filtering status manager 2802 that issues a directive to the 
packet communications apparatus 2S01 whose IP address is 
registered in the IP address field 2904. Because only one 
filtering status manager 2802 exists in the network system, 
the same IP address is registered in the field of IP address 
o: filtering status manager 2903 on all entry lines in the 
subnet table 2814. It is possible that a plurality of 
filtering status managers 2802 are used in the network 
sj stem and the appropriate one of their IP addresses is 
re mistered in the field on the entry lines in the subnet 
table 2814, thus distributing the processing load between 
or among the filtering status managers 2802. When a login 
by a user is detected, the authentication status detector 
28:5 searches the subnet table 2814 for the IP subnet to 
winch the IP address of the user terminal 28 06 operated by 
thi user belongs and determines the filtering status manger 
28'I2 to which notice of the user login is to be sent from 
thn IP subnet address entry searched out. Similarly, the 
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filterixig status manager 2802 determines a packet 
communications apparatus 2801 to which notice of the IP 
iddress of the logged- in user terminal is to be sent from 
the contents of the subnet table 2814. 

No entry exists in the learned address table 2811 
c:at each of the packet communications apparatuses A to C 
2801 has. The contents of the learned address table 2811 
will be described later. 

FIG. 30 illustrates the address for authentication 
1. ible 2813 and entries. 

In the address for authentication table 2813, the 
1 ' addresses of the servers 2803 having the user 
a , thentication unit 2804 are registered. In addition, the 
I address of equipment that provides a function required 
for user authentication (for example* Domain Name System 
(DNS) ) may be registered. In the address for authentication 
t?ble 2813 illustrated in FIG. 30, the IP addresses of the 
servers A to C 2803 are registered. The address for 
ai Uhentication table 2813 may be used to register the IP 
ac aress of a server that holds information that may be opened 
tc users who are not yet authenticated, 

FIG. 31 is the out - of -authentication address table 
2612 on the packet communications apparatus A 2801 and 
entry . 
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In the out-of -authentication address table 2812 , a 
MAC address of information equipment that users can access 
without being user-authenticated is registered. 
Information equipment to be registered in the out -of- 
authentication address table 2812 includes packet 
communications apparatus such as a router, equipment such 
a i a printer that is unable to perform voluntary user 
authentication (login), etc. The MAC address of such 
equipment is registered in the out-of -authentication 
address table 2812 on the packet communications apparatus 
connected to the network to which the equipment is also 
connected. In the out - of - authentication address table 2812 
illustrated in FIG * 31, among the NIFs of the router 2820, 
the MAC address of the NIF linked to the packet communication 
apparatus A 2801 is registered. 

Xf the user terminal 2806 is connected to the 
network ports system 2830 in the state of the above- 
described initial settings, the user terminal 2806 is only 
permitted to communicate with the DHCP server 2807, perform 
Address Resolution Protocol (ARP) communication with the 
router 2820, and communicate with the user authentication 
unit 2804, Other communication, if attempted, is filtered 
by the packet communications apparatus A 2801, Filtering 
is discarding the packet for communication that is not 
permitted . 
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In the network system shown in FIG. 28, assume chat 
the user has now connected the user terminal 2 806 to the 
network (IP subnet 147. 3.3.0) in the network ports system 
2330 and request for user authentication (login) is issued 
irom the user terminal 2806. A diagram of communication 
sequence thereof is shown in FIG. 33, 

It is assumed that the user terminal 2806 
c-rnmunicates with the server A 2 803 to gain authentication 
(login to the server) and that IP address 137.1-1.1 of the 
server A is known to the user terminal 2806 or the user of 
the user terminal 2806. 

When the user terminal 2806 has been connected to 
tie network (IP subnet 147. 3.3.0) in the network ports 
si; litem 2830, it is not assigned an IP address. In the network 
S) i;tem shown in FIG. 28, by using DHCP , an IP address is 
as-, signed to the user terminal 2 806. Means other than using 
DHCP may be taken in assigning an IP address to the user 
terminal 2806. For example, the user may set an IP address 
for the user terminal 2806 by himself or herself. If a means 
ocaer than using DHCP is taken, the DHCP relay agent function 
o.c the packet communications apparatus 2 8 01 is not 
ne pessary. 

After the user terminal is connected to the network 
U;5 subnet 147. 3.3,0) in the network ports system 2830, 
first, the user terminal 2806 sends an address request 
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jfacket for requesting the assignment of an IP address to it 
ty following the DHCP protocol. In this case, the user 
terminal 28 06 sends by broadcast the packet having a 
broadcast address as the destination address. The address 
request packet is received by the packet communications 
apparatus A 2801. 

FIG. 32 is a flowchart illustrating how each packet 
communications apparatus A to C 2801 forwards a packet it 
received . 

Upon receiving the address request packet from the 
u^er terminal 2806, the packet communications apparatus A 
2\ 01 searches the learned address table 2811 for the source 

C address (22:22:00:11:11:11) included in the packet 
(step 3201) - Since no entry exists in the learned address 
table 2811 in the initial state, the apparatus searches the 
out - of - authentication address table 2812 for the source MAC 
address of the packet (step 3202) . As illustrated in FIG. 
31, however, only the MAC address of the router 2820 is 
registered in the out-of -authentication address table 2812. 
It is thus apparent that the source MAC address included in 
tha packet from the user terminal 2806 is not registered in 
the above tables. Accordingly, the packet communications 
apparatus A 2801 registers the source MAC address into the 
learned address table 2811 as one entry. 
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Then, the packet communications apparatus A 2801 
searches the address for authentication table 2813 to 
attempt to find out the destination IP address of the address 
request packet (step 3204) . Because the destination address 
of the address request packet is a broadcast address, 
however, it is not registered in the address for 
authentication table 2813. Then, the packet communications 
apparatus A 2801 judges whether the received packet is the 
one for address request by following DHCP (step 3205) w Since 
t: ie received packet is the address request packet, the 
packet communications apparatus A 2801 forwards the address 
request packet to the DHCP server 2807 via the router 2820 
by the DHCP relay agent function (step 3208) - 

Referring to FIG. 33, the DHCP server 2807 receives 
tl e address request packet and assigns an IP address to the 
u^er terminal 2806. The DHCP server 2807 assigns the user 
t; luminal 2806 an IP address (147.3.3-1) belonging to the 
network (IP subnet 147.3.3-0) to which the user terminal 
2806 is now connecting. Then, the DHCP server sends an 
address leasing packet for notifying the user terminal 2806 
of, the assigned IP address. At this time, in the address 
leasing packet, the DHCP server includes IP address 
14 7.3.3.251 of the router 2820 as the address of a default 
gateway for the network (IP subnet 147.3.3-0) to which the 
V.&&T terminal 2806 is now connecting, thus notifying the 



-74- 



user terminal 2806 of that IP address. Notif ication of the 
IP address 147 > 3 . 3 . 251 of the router 2820 may be sent to the 
user terminal 2806, using a different packet from the 
address leasing packet- Other means for setting the default 
gateway address held on the user terminal 2 806 may be used 
(for example, setting it by user input)- The router 2820 
t: ox wards the address leasing packet to the packet 
communications apparatus A 2801 > The packet communications 
apparatus A 2801 handles the received packet in the same way 
a j described above and send the address leasing packet to 
t:*a destination, MAC address (22:22:00:11:11:11) of the 
ui 5r terminal by the DHCP relay agent function. Thereby, 
tl £ IP address (147.3-3-1) is assigned to the user terminal 
2! i)6 , 

Next, a procedure in which the user terminal 2806 
issues request for authentication (login) to the user 
authentication unit 2804 of the server A 2803 will be 
explained below. 

After being assigned the IP address, the user 
terminal 2806 attempts to gain authentication (login to the 
server) by issuing request for authentication (login) to the 
usir authentication unit on the server A 2803. Because the 
us sr terminal 2806 and the server A belong to different 
networks (IP subnets) , communication between both is 
performed via the router 2820, 



Referring to FIG „ 33 again, the user terminal 2806 
trends by broadcast an ARP Request packet 3301 including a 
broadcast address as the destination address to obtain a MAC 
address associated with the IP address (147.3.3.251) of the 
default gateway, notification of which it received from the 
DHCP server. The ARP request packet 3301 includes the MAC 
cddress of the user terminal 2806 as the source MAC address 
and the IP address thereof as the source IP address. 

The ARP Request packet 33 01 is received by the 
picket communications apparatus A 2801. Upon receiving the 
A IP Request packet 3301, the packet communications 
cv aparatus A 2801 first executes a process of learning the 
ARP packet and then executes the process of forwarding the 
ARP Request Packet 3301. 

FIG - 34 is a flowchart illustrating the ARP packet 
learning process to be executed by each packet 
a inmunications apparatus A to C 2801. 

In the ARP packet learning process, the packet 
communications apparatus A 2801 first searches the out- 
ot authentication address table 2 812 for the source MAC 
address included in the ARP Request packet 3301 (step 3401) . 
The entry of the source MAC address does not exist in the 
o\j t - of - authentication address table 2812 because only the 
MA" address of the router 2820 is registered in the table 
2812 as illustrated in PIG. 31 « Then, the packet 



communications apparatus A 2801 searches the learned 
address table 2811 for the source MAC address (step 3402) , 
Nothing is registered in the learned address table 2811 on 
the packet communications apparatus A 2801 in the initial 
n:ate. Thus, the entry of the source MAC address does not 
e :ist in the learned address table 2811 also. Then, the 
packet communications apparatus A 2 801 searches the learned 
a idress table 2811 for the source IP address included in the 
A&P Request packet 3301 (step 3403) . Since nothing is 
registered in the learned address table as described above, 
the entry of the source IP address does not exist in the 
learned address table 2811- Accordingly, the packet 
C( inmuni cat ions apparatus A 2801 terminates the ARP packet 
1< urning process. 

Then, the packet communications apparatus A 2801 
carries out the process of forwarding the ARP Request packet 
3:31, according to the flowchart shown in FIG. 32. First, 
the packet communications apparatus A 2801 searches the 
learned address table 2811 for the source MAC address 
included in the ARP Request packet 3301 (step 3201) „ Since 
nothing is registered in the learned address table 2811 as 
dn jcr ibed above, the packet communications apparatus A 28 01 
se irched the out-of -authentication address table 2812 for 
th i source MAC address (step 3 2 02) . The out -of- 
authentication address table 2 812 has only the MAC address 



registration of the router 2820 illustrated in FIG. 31, but 
does not have the entry of the source MAC address of the 
packet. Thus, the packet communications apparatus A 2801 
registers the source MAC address into the learned address 
table 2811 (step 3203) . 

FIGS. 35, 36, and 37 illustrate the learned address 
table 2811 and entries. 

The learned address table contains entries in the 
following fields ; MAC address, IP address , status, and valid 
l» iriod- In the MAC address field on an entry line, the MAC 
& Idress of the user terminal 2806 connected to the packet 
c« ximunications apparatus 2801 is registered. In the IP 
address field, the IP address assigned to the user terminal 
2> J6 is registered whose MAC address is registered on the 
same entry line. If the IP address of the user terminal 2806 
is unknown or unas signed, a value of "0.0.0.0° is registered 
ir^ the IP address field. In the status field, information 
(filtering ON) indicating discarding a packet whose source 
MA- 3 address matching the MAC address registration on the 
same entry line or information (filtering OFF) indicating 
forwarding that packet is registered- In the valid period 
f v»ld f the remaining time (valid time) in units of seconds 
before the validity of the entries on the line expires is 
registered . 
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As described above, the packet communications 
ripparatua A 2801 registers the MAC address 

(22:22:00:11:11:11) of the user terminal 2806 that is the 
source address of the ARP Request packet into the MAC address 
field of the learned address table 2811, "0.0. 0,0" into the 
TP address field, information "filtering ON" indicating 
iiscarding the packet into the status field, and "3600 sec," 
la to the valid period field. The learned address table and 
the entries in this state are illustrated in FIG. 35 . 

The time of "3600 sec." equals time allowed to pass 
1* -if ore the entry line is deleted from the learned address 
table 2811 if the user terminal 2806 connected to the network 
remains unassigned an IP address and without issuing request 
for authentication (login) , Arbitrary time other than "3600 
s* o* H can be set for the entry valid period if it is longer 
tl an the time required for IP address assignment and 
ax uhentication (login) processes. If the valid period is 
shorter than the valid period of information to be retained 
i ; an ARP cache provided on equipment connected to the same 
network that includes the packet communications apparatus 
2801, there is a possibility of data inconsistency between 
the packet communications apparatus 2801 and that equipment 
or; rurring. Therefore, the entry valid period must be longer 
th m the valid period of information to be retained in the 
AR v> cache. 



-79- 



Then, the packet communications apparatus A 2801 
searches the address for authentication table 2813 for the 
destination IP address included in the ARP Request packet 
3301 (step 3204) . Since the ARP Request packet 3301 is, 
however, not an IP packet, judgment is made as to whether 
t :e ARP Request packet 3301 is a DHCP packet (step 3205) , 
£Unce the ARP Request packet 3301 is not a DHCP packet, 
judgment is made as to whether the destination MAC address 
included in the ARP Request packet 3301 is a broadcast 
address (step 3206) , Since the destination MAC address is 
a broadcast address, the packet communications apparatus A 

2 01 forwards the ARP Request packet 3301 to the router 2820 

03 ly (step 3209) . 

The router 2820 receives the ARP Request packet 3301 
a^: ci sends back an ARP Reply packet 33 02. The ARP Reply packet 
3V02 includes the MAC address (22:22:00:00:00:03) of the 
router 282 0 as the source MAC address and the IP address 
(147.3-3.251) thereof as the source IP address. 

The packet communications apparatus A 2801 receives 
th * ARP Replay packet 3 3 02 and carries out the ARP packet 
lu \rning and forwarding processes as will be explained 
be ow. 

In the ARP packet learning process, the packet 
ccr ifiunications apparatus A 2801 first searches the out- 
of - authentication table 2812 for the source MAC address 
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included in the ARP Reply packet 3302 (step 3401) - As 
illustrated in FIG, 31, the MAC address of the router 2820 
is registered in the out - of - authentication table 2812. 
Thus, the packet communications apparatus A 2801 finds out 
the MAC address entry of the router 2820 matching the source 
MAC address of the packet from the out - of - authentication 
table 2812 and terminates the ARP packet learning process. 

According to the flowchart shown in FIG. 32, then, 
the packet communications apparatus A 2 8 01 searches the 
: ;arned address table 2811 for the source MAC address 
included in the ARP Reply packet 3302 (step 3201) - Since 
t ;3 MAC address of the router 2820 is not registered in the 
] arned address table 2 811, the packet communications 
apparatus A 2801 searched the out-of - authentication table 
2*12 for the source MAC address (step 3202) . Since the 
st urce MAC address, namely, the MAC address of the router 
21 AO is registered in the out-of -authentication table 2812, 
tt e packet communications apparatus A 2801 forwards the ARP 
Replay packet 3302 (step 3211) , thus sending it to the user 
terminal 2806- The user terminal 2806 receives the ARP 
Replay packet 3302 and memorizes the MAC address of the 
router 2820. 

To gain authentication (login to the server) , the 
packet communications apparatus A 2 801 sends a login request 
packet 3303 to the user authentication unit 2804 on the 
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server A 2803. The login request packet 3303 includes the 
IP address of the server A 2803 as the destination IP 
address, the MAC address of the router 2820 as the 
destination MAC address, the MAC and IP addresses of the user 
terminal 2806 as the source MAC and IP addresses > The packet 
communications apparatus A 2801 receives the login request 
packet 3303, and according to the flowchart shown in FIG . 
32 , searches the learned address table 2811 for the source 
KaC address included in the login request packet 3303 (step 
2 01) . The MAC address of the user terminal 2 806 has already 
been registered in the learned address table 2811. Then, 
the packet communications apparatus A 2801 refers to the 
s ;atus field on the entry line on which .the source MAC 
at dress is registered. Since "filtering ON" is specified 
it the status field as illustrated in FIG. 35, the packet 
cc rnmunications apparatus A searches the address for 
a\ thentication table 2813 for the destination address 
irizluded in the login request packet 3303 (step 3204) . Since 
the IP address of the server A 2803 is registered in the 
address for authentication table 2813, the packet 
communications apparatus A 2801 sees whether the source IP 
address included in the login request packet 3303 is 
registered in the learned address table 2811 . The IP address 
f i *ld on the entry line on which the MAC address of the user 
terminal 2806 has been registered contains registration 
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"0.0.0,0" as illustrated in FIG. 35 and the IP address of 
t;he user terminal 2806 is not registered. Thus, the packet 
communications apparatus A 2801 registers the source IF 
address, namely IP address (147.3.3.1) of the user terminal 
2306 into the IP address field (step 3210) . In this case, 
t;ft,e packet communications apparatus A 2B01 does not change 
v/ie time value held in the valid period field. 

FIG. 36 illustrates the learned address table and 
entries in this state. 

Then, the packet communications apparatus A 2 8 01 
forwards the login request packet 3303 (step 3211) , thus 
s< nding it to the router 2820. The router 2820 forwards the 
1<: (fin request packet 3303 to the server A 2803. 

When the server A 2803 receives the login request 
p: ::ket 3303, the user authentication unit 2804 on the server 
2803 sends the user terminal 2606 a password request packet 
3304 for requesting password input. The router 2820 
forwards the password request packet 3304 to the packet 
communications apparatus A 2801. At this time, the router 
2f 0 changes the source MAC address included in the password 
ret uest packet 3304 to the MAC address of the router 2820 
an sends the packet* The packet communications apparatus 
A 'A 301 receives the password request packet 3304. According 
to the flowchart shown in FIG. 32 and in the same way as for 
forwarding the ARP Reply packet 3302, the packet 



-83- 



communications apparatus A 28 01 searches the learned 
address table 2811 and the out-of -authentication address 
1 able 2812 for the source address included in the password 
request packet 3304 (steps 3201 and 3202) . Since the source 
MAC address, namely the MAC address of the router 2820 is 
registered in the out-of -authentication address table 2812, 
the packet communications apparatus A 2801 forwards the 
password request packet 3304 (step 3211) , thus sending it 
to the user terminal 2806. When the user terminal 2 80 6 
receives the password request packet 3304, the user 
operating the user terminal 2806 is prompted to input a 
p ssword. The user inputs a password to the user terminal 
2806. The user terminal 2806 sends a packet 3305 including 
the input password. The packet communications apparatus A 
2B01 receives the packet 3305 , and in the same way as for 
ti awarding the login request packet 3303, searches the 
ls^rned address table 2811 for the source MAC address 
ircluded in the packet 3305 (step 3201) and searches the 
adiress for authentication table 2813 for the destination 
Ilr address included in the packet 3305 (step 3204) , Since 
the destination IP address, namely the IP address of the 
server A 2804 is registered in the address for 
authentication table 2813 and the source IP address, namely 
the IP address of the user terminal 2806 is also registered 
in whe learned address table 2811 (step 3210), the packet 
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rommuni cat ions apparatus A 2801 forwards the packet 3304, 
thus sending it to the router 2820. The router 2820 forwards 
the packet 3305 to the serer A 2803. 

When the server A 2803 receives the packet 3305, the 
user authentication unit 2804 compares the password 
included in the packet 3305 with the password pre-registered 
f. :r user identification and retained as a user account 2840 

see whether the password is correct. When the user 
authentication unit 2804 verifies that the password 
included in the packet 3305 is correct, it permits the user 
terminal 2806 to login to the server. The user 
authentication unit 2804 sends the user terminal 2806 a 
1 1 gin complete packet 3306 as notice of login completion and 
n< :if ies the authentication status detector 2805 on the 
server A 2803 of the IP address (147.3.3-1) of the user 
trrminal 2806 and login completion. 

The authentication status detector 2805 searches 
the subnet table 2814 for an entry line on which an address 
given by the AND of the subnet mask value held in the subnet 
mask field 2902 and the IP address of the user terminal 2806 
equals the subnet address held in the subnet address field 
29 : >1. When the authentication status detector 2805 finds 
ou such entry line, it sends a packet for notice of 
ccunection 3307 including the IP address of the user 
terminal 2806, addressing it to the IP address registered 
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in the field 2903 of IP address of filtering status manager 
cxx the entry line. In the subnet table illustrated in FIG. 
23, for example, entry #3 includes the subnet address of the 
network (IP subnet) to which the user terminal 2B06 is now 
connecting and matches the above-described entry line. 
Accordingly, from the entry # 3 line, it. is appreciated that 
the IP address of the filtering status manager 2802 to which 
the packet for notice of connection 3307 is to be sent is 
"137.2-2.100. M 

The router 2820 forwards the packet for notice of 
cc nnection 3307 to the filtering status manager 2802, when 
the filtering status manager 2802 receives the packet for 
nc Lice of connection 3307, it searches the subnet table 2814 
f 4 ;.: an entry line on which an address given by the AND of 
the subnet mask value held in the subnet mask field 2902 and 
the IP address of the user terminal 2806 derived from the 
notice packet equals the subnet address held in the subnet 
address field 2901. When the filtering status manager finds 
ou- such entry line, it knows what IP address is held in the 
field 2904 of IP address of packet communications apparatus 
on the entry line. Since entry #3 in the subnet table 
illustrated in FIG- 29 matches such entry line, it is 
appreciated that the IP address of the packet communications 
apparatus (IP address of packet communications apparatus A 
2801) is "147 .3 .1.220. « The filtering status manager 2802 
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&ends a packet for connection permission 3306 including the 
IP address (147.3.3.1) of the user terminal 2806i addressing 
it. to the packet communications apparatus A 2801 having the 
IP address known as above. 

Upon receiving the packet for connection permission 
33 08, the packet communications apparatus A 2 8 01 searches 
tie learned address table 2811 for the IP address 
' 147 .3.3.1) of the user terminal 2806 that it knows from the 
picket. As illustrated in FIG. 36, the IP address of the 
v ;er terminal 2 806 is registered as one entry in the learned 
a dress table 2811, Thus* the packet communications 
apparatus A 2801 changes the information registered in the 
status field on the entry line from "filtering ON" to 
"filtering OFF" and sets "300 sec." to override the time in 
tl e valid period field, 

FIG. 37 illustrates the learned address table and 
ex; tries in this state. 

Thereafter, upon receiving a packet including the 
Miv: address (22:22:00:11:11:11) of the user terminal 2806 
as the source MAC address, the packet communications 
apparatus 2801 searches the learned address table 2811 for 
ths source MAC address (step 3201) , according to the 
flowchart shown in FIG . 32. In this case, the source MAC 
address is registered as one entry in the learned address 
taMe 2811 and "filtering OFF" is specified in the status 
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field on the entry line. Thus, the packet communications 
apparatus A 2801 always forwards a packet it received (step 
3211) , In consequence, the user terminal 2801 can freely 
communicate with the server as packets sent from the user 
terminal 2806 are not discarded by the packet communications 
apparatus 2801. 

Then, how the packet communications apparatus A 
2101 detects disconnection of the user terminal 2806 from 
the network and a process thereof will be explained below. 

The packet communications apparatus A 2801 
periodically activates a process of updating the content of 
t) e valid period field on the entry lines in the learned 
at dress table 2811. For example, at intervals of 30 seconds, 
tl e packet communications apparatus A 2801 activates the 
piacess of updating the content of the valid period field. 
Tie period in which the process is activated depends on the 
degree of accuracy of assuring the valid period entry. 

The process of updating the valid period field 
content in the learned address table will be explained 
below, using FIG. 38, 

FIG - 38 is a flowchart illustrating the process of 
updating the learned address table 2811 to be executed by 
eaoh packet communications apparatus A to C 2801. 

On the packet communications apparatus A 2801, when 
the update process of the learned address table 2811 is 
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activated, first, "30 seconds" equaling intervals at which 
the update process is activated is subtracted from the 
remaining time (valid time) held in the valid period field 
:<n the entry lines in the learned address table 2 811 and thus 
updating the valid time (step 3801) - As the result of the 
subtraction, if the remaining time (updated valid time) held 
in the valid period field is longer than 60 seconds (double 
the activation interval time) , the packet communications 
apparatus A 2801 at once terminates the update process 
without executing further processing for the entry. If 
t lere is an entry whereof the updated valid time falls within 
6 j seconds, but longer than o seconds, in order to reconfirm 
t.-iB MAC address of the user terminal 2806 that is assigned 
the IP address registered on the same entry line, the packet 
communications apparatus A 2801 sends an ARP Request packet 
to the IP subnet to which the user terminal 2806 is now 
ct nnecting (step 3803) . If there is an entry whereof the 
undated valid time is 0 seconds or minus, the packet 
ccmmunications apparatus A 2801 deletes the entry line (step 
3£04) « Thereby, the contents of the learned address table 
2^-11 return to those in the previous state before the user 
terminal 2806 with MAC address that was registered on the 
deleted entry line is connected to the network. 

While executing the above - described update 
process, the packet communications apparatus A 2801 sends 
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ARP Request packet periodically (at intervals of about 
f ? ur minutes during the above update process) to make sure 
that the user terminal 2806 remains connected to the 
network- If the user terminal 2806 is connected to the 
r^twork, an ARP Reply packet in response to the ARP Request 
IMCket is sent back from the user terminal 2606. Thus, 
uMess the packet communications apparatus A 2801 receives 
t'fte reply to the ARP Request packet, it regards the user 
terminal 2806 as having been disconnected from the network 
a, d deletes the entry line thereof from the learned address 
table when the updated valid time becomes 0 seconds or minus . 

Because the packet communications apparatus A 2801 
activates theupdate process at intervals of 30 seconds and 
£ t iids an ARP Request packet if the updated valid time falls 
w; :hin 60 seconds (double the activation interval time) , the 
A*P Request packet is sent two times before one entry line 
ii deleted from the learned address table. By changing the 
v: Lid time condition setting for sending ARP Request 
packets, it is possible to adjust the number of times that 
the packet communications apparatus A 2801 confirms that the 
u;*er terminal 2 806 remains connected before the entry 
thereof is deleted from the table. 

Furthermore, the packet communications apparatus A 
28 01 updates the valid time held in the valid period field 
of: the learned address table 2811 by an ARP Request or ARP 
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Reply packet sent from the user terminal 2806- How the 
packet communications apparatus A 2801 does so will be 
explained below, using FIG. 34, 

Now, assume the following. When the user terminal 
2306 was user- authenticated (logged in to the server), 
r.iitially, the MAC address and IP address of the user 
terminal 2806, information indicating forwarding packets 
from/to the terminal, and valid time were registered on one 
entry line in the learned address table 2811, Moreover, 120 
seconds elapsed after the valid time (300 seconds) entry was 
registered. Thus, the valid time on the entry line is now 
1 0 seconds in the learned address table 2811. 

when the packet communications apparatus A 2801 
r reives an ARP Request or Replay packet sent from the user 
ti rroinal 2806, it executes the ARP packet learning process, 
according to the flowchart shown in FIG. 34. The packet 
communications apparatus A 2801 first searches the out- 
o£ -authentication address table 2812 for the source MAC 
at dress included in the ARP Request or ARP Reply packet (step 
3£01) - The MAC address of the user terminal 2806 is not 
registered in the out -of -authentication address table 2812 
ai illustrated in FIG - 31. Then, the packet communications 
apparatus A 2801 searches the learned address table 2811 for 
the source MAC address (step 3402) - The source MAC address, 
namely the MAC address of the user terminal 2806 exists as 



*he MAC address entry in the learned address table 2811, 
Tius, the packet communications apparatus A 2801 compares 
the source IP address included in the ARP Request or ARP 
Riply packet with the source IP address (147.3-3.1) entry 
registered in the learned address table 2811 (step 3405) - 
Normally, it is not necessary to change the IP address 
assigned to the user terminal 2806 in the communication ON 
etatue, and therefore there is a match between the IP address 
registered in the learned address table 2811 and the source 
I, address of the packet. Due to the match, the packet 
C3munications apparatus A 2801 updates the valid time entry 
t< 300 seconds if it is shorter than 300 seconds (step 3406) 
and terminates the ARP packet learning process. Because the 
valid time entry is now 180 seconds in this example case, 
i*. is updated to 300 seconds. 

In the manner described above, the packet 
c; nmunications apparatus A 2801 uses an ARP Request or ARP 
Replay packet sent from the user terminal 2806 is used to 
u\* :;ate the valid time entry for the terminal in the learned 
ai^.ress table 2811, Consequently, the packet 
communications apparatus A 2801 actually sends an ARP 
Request packet at longer intervals than the above-mentioned 
periodical intervals (about four minutes) . Thus, the load 
on che network to which the user terminal 28 0 6 is connecting 
is reduced. During the communication ON status of the user 
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terminal 2806, an ARP Request or ARP Reply packet is sent 
from the user terminal 2806 at regular or irregular 
intervals. Therefore, the packet communications apparatus 
A 2801 sends an ARP Request packet to the user terminal 2806 
only after the elapse of a certain time when the user 
terminal 2806 remains in the communication OFF status, that 
is, it is likely that the user terminal 2806 has been 
disconnected from the network. 

As described above / by using the packet 
communications apparatus 2801 in the network system 
including the network ports system that allows end users to 
freely connect their terminal thereto, packets from a user 
terminal 2805 that is not yet user - authenticated 
\ .ogged-in) are discarded, thereby preventing unauthorized 
u era from unfairly using networking service. 

The foregoing invention has been described in terms 
c preferred embodiments. However, those skilled, in the 
art will recognize that many variations of such embodiments 
exist. Such variations are intended to be within the scope 
of the present invention and the appended claims. 



